A ransomware attack on the Resort Municipality of Whistler (RMOW) could have far-reaching consequences, according to a cyber security expert, but there鈥檚 no way of knowing for sure until a full forensic investigation is completed.
In a recent post to the dark web (a part of the internet not visible to search engines, and accessed through an anonymous browser called Tor), the cyber criminals claim to have accessed about 800 gigabytes of RMOW data.
鈥淲histler people personal information (names, addresses) sql databases, stats, huge email dumps, emails database, passwords, network scheme, services, private documents placed on darknet auction,鈥 the post read.
鈥淚t will be sold in next 7 days. Follow to chat to bet. ~800gb of archive. Yum yum.鈥
But there鈥檚 no way of knowing what the criminals actually have, said Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
鈥淭hese are criminal organizations. They don鈥檛 always tell the truth,鈥 Callow said, adding that, because the cyber criminal鈥檚 systems are all scrambled, it鈥檚 not at all easy to work out what data was taken.
鈥淚t can require a forensic investigation that can take several weeks to complete, if they can work it out at all,鈥 he said.
鈥淎nd the criminals do attempt to use that uncertainty. There are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing.鈥
Data is stolen in about 70 per cent of ransomware attacks, Callow said.
As for the amount that could be being demanded, 鈥渋t could be a lot,鈥 he said.
鈥淭he highest amount on record to date, at least the highest amount to have become publicly known, is $50 million.鈥
While 鈥渋t鈥檚 very hard to say鈥 how local governments should respond to threats like this, 鈥渕y personal feeling is that organizations should never pay,鈥 Callow said.
鈥淚t doesn鈥檛 guarantee they will get their data back, it doesn鈥檛 guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime.鈥
And while it鈥檚 still unclear how the hackers breached the RMOW servers, in about 50 per cent of cases, it is through email phishing scams, Callow said鈥攊nstances where someone has inadvertently downloaded remote access software.
鈥淭hat gives the criminals access to the network. They can then use various methods to move laterally throughout it; they elevate their privileges, they disable security products, they suck out the data, and then when they鈥檙e good and ready they finally encrypt the network,鈥 he said.
鈥淎nd that is the point at which the organization realizes it has a major problem. But of course by that point their data is already long gone.鈥
With the technology and tactics constantly evolving, safeguarding against cyber crime is 鈥渁 constant and ongoing game of Whack-a-Mole,鈥 Callow added.
While the extent of the breach is still unknown, Whistlerites鈥攁nd indeed any business or organization that has an account with the RMOW鈥 should 鈥渨ork on the assumption that the cyber criminals now have whatever information the municipality held about me,鈥 Callow said.
鈥淭hat may not be the case, but it is best to be safe than sorry.鈥
A report published recently by Emsisoft estimates that the average ransomware demand grew by more than 80 per cent globally in 2020, with a minimum of $18 billion paid in ransoms.
In Canada, there were 4,257 reports of ransomware demands, with a minimum cost of about $165 million.
鈥淭he data that ends up being posted online in these cases can be extremely sensitive. We have seen information relating to alleged cases of child abuse, for example, be posted online, [and] medical reports about those children, when social services departments and/or healthcare providers have been hit,鈥 Callow said.
鈥淎nd that鈥檚 really terrible. If your financial information leaks, at least you can eventually fix your credit. When extremely sensitive personal information like that leaks, once it鈥檚 out there, it鈥檚 out there. There鈥檚 nothing you can do about it at all.鈥
RMOW CONDUCTING FORENSIC INVESTIGATION; SERVICES REMAIN OFFLINE
The RMOW is conducting a forensic investigation to determine what information was accessed by the hackers, and is asking the public to be vigilant about communications appearing to come from the RMOW.
The municipality does not ask for private information by phone or email, the RMOW said in a recent update at
"We are taking it extremely seriously and are working with cyber security experts and the RCMP to confirm the nature of the threat. In the event personal information is impacted, we are putting measures in place to protect those people," an RMOW spokesperson said in a text message, adding that the RMOW has full control over its servers and website.
The municipality also has cyber security insurance to protect from criminal activity such as this, the spokesperson said.
Should the forensic investigation determine that personal information was accessed, the RMOW said it will inform affected individuals immediately. Meanwhile, the municipality is further strengthening its security safeguards to ensure that all information in its custody remains secure, according to an update posted to whistler.ca.
鈥淚 appreciate that this is having a large impact on our community already challenged by COVID-19, as well as Whistler property owners and those who have accessed RMOW services in the past,鈥 said chief administrative officer Virginia Cullen. 鈥淎lthough we have robust protections in place to prevent this type of illegal event, these cyber criminals breached our server. As soon as we were aware of this, we took measures to prevent further access, and are now in the process of working with cybersecurity experts before we put the system back online.鈥
Infrastructure such as water and sewage, and emergency systems such as 911 and the Whistler Fire Department have been secured and continue to operate as normal, though RMOW email, phone and network services are still offline. In-person service at municipal hall has also been temporarily suspended.
All council meetings scheduled for Tuesday, May 4 have been cancelled.
An Incident Command Team has been activated to focus on business continuity and restoration of services, and the public can call 604-932-5535 from 8 a.m. to 4:30 p.m. Monday to Friday with any questions.
After gaining access to the municipal server earlier this week, the "cyber criminals" left an ominous message.
鈥渢his is very fun 鈥 guys, if we do not talk now, you鈥檒l have big troubles in future,鈥 read the message.
鈥淚 have a lot of patches on your systems to gain access and you can鈥檛 restore your network from backups again. So talk in chat and 颈鈥檒濒 stop this now. I鈥檓 waiting.鈥
The message included a link to download the Tor browser, which enables anonymous communication online, along with another link followed by more ominous words: 鈥渘o way to run.鈥
Find updates at , and check back with Pique for more as this story develops.