A ransomware attack that disabled government communications systems in the northern Canadian territory of Nunavut November 2nd is part of a pattern of attacks being launched against non-US targets, cybersecurity firm Emsisoft claims.
The company says ransomware attacks are increasingly being directed at municipalities, hospitals and schools in Canada, South Africa, Spain, Australia and the UK.
This may be because US targets are “on very high alert, (and are) bolstering their IT,” the company writes:
“Because of this, big game hunters are increasingly looking for opportunities in the other countries.”
In a ransomware attack, malware typically included in an email link infects a computer or network and locks out the rightful operators using encryption.
Attackers then demand a payment of cryptocurrencies in exchange for decrypting locked information and systems.
According to the Canadian Broadcasting Company (CBC):
“The government of Nunavut’s communications system was the victim of a ransomware attack early Saturday morning, and as of Sunday night officials still did not know when systems would come back online.”
Emsisoft says the ransom note posted on Nunavut government computers after they were frozen in the hack is the same one that has appeared on other computers compromised by DoppelPaymer.
Text from a ransom note seen by the CBC reads:
“Your network has been penetrated…All files … have been encrypted with a strong algorithm.”
“We exclusively have decryption software for your situation.”
The note also reportedly tells affected parties that they must download an encrypted browser and visit a specified website to pay a ransom within 21 days:
“After that period if you not get in contact link and the key for your data would be erased completely…the faster you get in contact — the lower price you can expect.”
Emsisoft says Dridex trojan malware is usually spread via a Word doc email attachment.
“So, it works like this,” Emsisoft claims:
• “Someone in the org opens an email they shouldn’t.”
• “Dridex gets installed.”
• “Dridex is used to deploy DoppelPaymer.”
Emsisoft research indicates a steady decline of reported Dridex attacks on US municipal, school and healthcare targets in recent months, from 44 in July to 24 in August and September and 16 in October.