Emerging Cyber Threats: Ransomware, Cryptojacking, and IoT Attacks
August 07, 2019
Focus Area — Innovation & Technology
From the recent Desjardins data breach to the ongoing ransomware crises facing many municipal governments, Canadians have been receiving regular reminders that “cyber crime is rising and shows no sign of slowing down". The growing number of internet-connected devices, and the emergence of new types of cyber-attacks, have fueled the growth of these attacks, affecting 1 in 5 Canadian businesses while costing at least $120 million dollars in 2018 in ransomware alone .
Canadian organizations should pay special attention to these three new types of emerging cyber-attacks:
Cyber criminals often steal or illegally gain access to data, files, systems, and devices that do not belong to them; ransomware has brought a new dimension to this illegal activity. When a ransomware attack occurs, criminals use malicious software to block a victim's access to their data, files, systems, or devices. If the victim wants to regain access to their property, they must pay a ransom. The complexity of the malicious software and the size of the ransom demanded vary significantly from attack to attack.
Businesses have been targeted with diverse types of ransomware attacks since the mid-2000s; however, there has been a recent surge in attacks, with Canadian organizations and individuals facing a 360% increase in attacks . This surge has been associated with the increasing number of devices in our homes and businesses, the complexity of those devices, and the relatively low cost of initiating a ransomware attack.
Cryptojacking is one of the newest types of cyber threats. A cryptojacking attack relies on malicious software illegally taking over (i.e. hijacking) a digital device's computational power to mine cryptocurrencies, such as bitcoin or Ethereum. Cybercriminals either install malicious software that runs covertly on a digital device, or they temporarily hijack a victim’s web browser while they are visiting an infected website; this latter type of cryptojacking attack is referred to as “drive-by cryptomining.”
Like ransomware, cyber criminals are attracted to cryptojacking attacks because there is a low cost— as well as the possibility of a high reward—associated with initiating this type of attack. In Canada, cryptojacking has been a burgeoning menace. Last year, thousands of Canadians were the victims of drive-by cryptomining attacks , and St. Francis Xavier University suffered a major cryptojacking attack that affected the speed and availability of many of their digital services.
IoT attacks have been taking place since Internet of Things (IoT) devices—such as Internet-connected appliances, smart toys, and voice-enabled smart home devices, like Siri and Alexa—started gaining popularity in the early 2010s. Since then, IoT attacks have taken many different shapes and forms, reflecting the diversity of the millions of diverse IoT devices online in Canada. For example, some IoT devices have been hijacked for distributed denial-of-service (DDoS) attacks, which can be used to knock digital services offline. Other IoT devices have been used to spy on workplaces, homes, and schools .
IoT attacks are increasingly common worldwide, including in Canada. The Government of Canada’s recent National Cyber Security Strategy highlighted IoT attacks as one of the biggest areas of concern in the coming decade. Canadians must remain vigilant in updating their IoT devices’ security settings, and be aware of the risks presented by devices with difficult-to-update settings, such as medical devices.
When OHS and HR work together, strategies to deal with risks to employees’ health and safety are likely to be more effective. Policies will benefit from diverse perspectives. The impact of substance-use policies can be more thoroughly audited with OHS’s experience with risk/hazard assessment and HR’s knowledge of external policies. Organizations can also better understand the impact of workplace accommodations thanks to OHS’s focus on safety and HR’s experience with the accommodation process.
At the Conference Board of Canada, we organize events for cyber security executives through our Cyber Security Council (CSC). Members of the council meet regularly to discuss cyber security strategies, challenges, and concerns for their organization and industries.
At some of the upcoming CSC events, we’ll dive into each of these topics in greater detail, including what we can do to mitigate the harm caused by these types of attacks. Emerging Cyber Threats will be the focus of our webinar on August 26th and our CSC event on September 12th. If you’d like to learn more, sign up to attend one of the events!
Dr. Vanessa Thomas
Senior Research Associate I