Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/743478
LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2016 91 BY GEORGE TAKACH TECHNOLOGY Ransomware has grown into a massive criminal enterprise, and companies seem all too willing to pay Cybercrime's Latest Tactic TECH ENTREPRENEURS are continu- ally inventing new business models for the internet, and a day doesn't go by that some novel way to monetize the digital environ- ment isn't discovered. e pace of change can truly take your breath away, and society is much the better for it. Unfortunately, criminals are no less entrepreneurial. It is astounding how cre- ative they are, and the cycle of invention in criminal circles is no less robust than in the legitimate economy. And so perhaps it is no surprise that the criminal hacker, who previously focused exclusively on penetrat- ing your IT systems, stealing your sensitive data and selling it to unscrupulous third parties over the dark web, is now being joined by other criminals who break into your computers, but then block you from accessing your data and extort a ransom payment from you. is is the recent, meteoric rise of the so- called ransomware phenomenon. NOTHING NEW UNDER THE SUN While the incidence of ransomware attacks has been growing recently, it is by no means a new criminal practice. In one of Canada's first reported com- puter-crime decisions in the mid-1980s, R. v. Turner (1984), the accused installed soware on the victim company's comput- er system that blocked the company from accessing its own data. In this case, the ac- cused was convicted under the Criminal Code's mischief provision, but the judge also suggested that the soon-to-be enacted section 430(1.1) of the Criminal Code would also address this type of behaviour. Alas, the problem with ransomware is not that we don't have a legislative response, because we do. e rub is that we are seeing so much of it; and, ironically, the amounts being extorted are small enough — typical- ly under $50,000 — that victims oen find payment of the ransom is the easiest and quickest course of action. (For example, a recent survey of IT shops found that 34 per cent of ransomware attackers are demand- ing between $1,000 and $5,000 to release the data, and only 10 per cent hold out for between $10,000 and $50,000.) is is particularly the case because, in many if not most of the occurrences, the perpetrator of the crime is offshore, and therefore pursu- ing a criminal investigation, let alone a civil one, is impractical. So it was not surprising when the nation- al press publicized the fact that a university in western Canada, hit with a ransomware attack in the spring of 2016, opted to sim- ply pay the $20,000 ransom that was de- manded. In another highly publicized inci- dent, a hospital in Florida decided in 2015 to pay the $50,000 that was demanded be- cause they reasoned that that was the surest way to ensure there would be no disruption in health care to its patients. And, incidentally, this hospital is not the only company under siege in the health- care sector, which is apparently the target of some 53 per cent of ransomware attacks, followed closely by financial services as the most hacked target industry. STANDING UP TO BULLIES Not everyone, however, who is hit with a ransomware attack takes the path of least resistance. Also in 2015, a medium-sized law firm in the United States was faced with a ransomware situation. Rather than pay the amount demanded, the law firm called in forensics experts and determined that no client data had been compromised PHOTO: SHUTTERSTOCK | COLUMNS |