[BreachExchange] Woodstock city, police targeted by 'cyber attack'

Destry Winant destry at riskbasedsecurity.com
Thu Sep 26 10:52:31 EDT 2019


The City of Woodstock and the Woodstock Police Service are both
currently suffering cyber attacks.

Woodstock’s top administrator, David Creery, confirmed the city had a
network breach early Saturday morning around 4 a.m. when a virus
entered its computer system. That virus has since prevented the city
from accessing its email and data networks.

Creery said the city has engaged experts and police in its
investigation, including the Woodstock Police Service and the OPP
cyber-crimes unit.

The attack “has the appearance” of aransomware, though no formal
ransom demand has been made, Creery added.

Ransomware is a type of malicious computer program that denies access
to the system or its data until a ransom is paid. If that ransom is
paid, the hacker then provides a key or password that unlocks the

The Woodstock Police Service is also experiencing a separate attack
that started around 2:30 a.m. Monday morning, Insp. Marci Shelton
said, but have not indicated whether it is ransomware.

Police are continuing operations largely as normal and police response
is not impacted, Shelton stressed. The department’s email and internet
networks are down, so residents cannot use online reporting tools or
Facebook Messenger, but otherwise response and reporting continue as
usual. Residents should call the station if they need police or dial
911 in emergencies.

Through expert examination of the city networks, Creery said there is
no indication that any personal or financial information has been
compromised. Shelton said there is no indication of personal or
financial information being stolen from police either.

The city is currently in the process of minimizing the impact and
resolving the attack, including containing the city’s network and
using experts to examine the city’s computers to determine how, when
and why the attack occurred. Creery said the city hopes to begin
recovery of its systems later Tuesday.

Woodstock police are working with the OPP cyber-crimes unit, as well
as its own investigators, IT staff and a third-party company to
resolve its cyber attack, Shelton said.

The City of Stratford experienced a similar attack in April and, last
week, officials revealed they had paid a hacker the equivalent of
$75,000 in Bitcoin. The attack crippled the city’s computer system,
though the city later said there was no evidence of data theft
following the attack.

Carmi Levy, a London-based tech analyst, said these kinds of attacks
are becoming increasingly common.

“The fact that you have two significant high-profile ransomeware
attacks relatively close together … confirms that this is a major
issue and it is getting worse,” Levy said.

But the very last thing cities should do if experiencing a ransomeware
attack is pay, Levy added.

“In some cases, the hackers could simply take the money and run. …
Even if they do unlock your data and allow you to regain access to
what was lost, the fact that you elected to pay makes you more likely
to be attacked in future,” Levy said.

Payment amounts to a “feeding frenzy among sharks,” Levy added.
Hackers will be more likely to target you in future, and it sets a
dangerous precedent for all hackers looking at cities as potential

Though he’s not involved in Woodstock’s response to this attack, Levy
said a ransomware victim would typically be restoring backup data,
reinstalling operating systems and apps, and rebuilding its
infrastructure, essentially from scratch.

If the city was well-prepared, that would allow the city to come back
“like the attack never happened” without paying a ransom – saving the
city a lot of money and aggravation, Levy said.

The city’s email system is currently down, the statement noted, but
residents can continue to call city hall and all third-party systems,
such as the city’s website and registration for recreation programs,
are running as normal.

What you need to know: City of Woodstock cyber attack

Q: What is ransomware and what is its goal? Why is it different from
other types of cyber attacks?

Ransomware isn’t about stealing data, unlike other types of attacks
that take data and sell it on the black market, Levy said. Ransomware
freezes or locks a victim’s access to their own information, holding
it hostage until a ransom is paid.

“Data does not have to be stolen in order for an attack to be
damaging. Lack of access to your data or critical systems can be just
as damaging to your business, and if you are a civic administration,
you don’t have to lose data in order to suffer a very expensive loss,”
Levy said.

Q: How do cyber attacks happen?

Most often, through human error, Levy said, although cause hasn’t been
made public in these Southwestern Ontario cyber attacks, including a
similar attack in Stratford this spring.

“An employee or contractor, someone connected to the victim, opening
an email with a link or button in it. It is not legitimate but looks
legitimate,” Levy said. That starts the attack.

Q: If you were attacked, should you pay the ransom to get access to your data?

Simply put, no.

Levy said that not only does paying a ransom cost you, literally, it
doesn’t mean it will resolve the issue. The hackers can always take
the money and run without freeing your data, Levy said. But if you pay
this time, it makes you a target in future.

“The criminal hacking community always looks for the weakest link,” he said.

Q: What is the appeal in going after a municipality if you’re not
stealing personal information?

First, Levy said cities and civic administrations are high-profile targets.

“In the criminal hacking community, attention is currency. The bigger
the victim, the more notorious you (as a hacker) are,” Levy said.

And then there’s the money: Cities have it and, by hitting a target
that has money, hackers up the likelihood of a payout.

Q: Are these types of cyber attacks a trend, and how much of a threat are they?

Yes, it’s a trend, and municipalities should be worried, Levy said.
Generally speaking, they’re woefully underprepared to respond.

“Over the past few years, ransomware has become the number one cyber
security threat to all of us and the situation continues to worsen,”
Levy said.

More information about the BreachExchange mailing list