The RM of Gimli said it was hacked last week, leaving it without access to its IT systems, but wouldn’t confirm whether it’s being held for ransom.
One of the ransom notes the hacker group Payload sends to its victims
A hacker group called Payload has taken responsibility for breaching the municipality’s systems. It’s allegedly holding RM data hostage and asked for a “negotiation” or the group will publish the data on the internet.
The RM’s CAO Diana Chapman had posted a notice on the municipality’s website on April 28, advising the public of a “cyber security incident” that impacted the RM’s IT systems, and asked that ratepayers pay their municipal bills at the bank. The RM also engaged a cybersecurity firm to investigate what happened.
“Currently, we are still determining the scope of the impact and will provide updates as soon as more information becomes available,” said Chapman in the notice.
The Express asked the mayor and council several questions, including whether hackers contacted them, whether staff and taxpayer data was stolen, and what council’s plan is to upgrade its IT system.
Many questions were left unanswered, but council spokesperson Christine Payne indicated last Friday that the RM was still trying to get its IT systems up and running.
“We’re still determining the scope of the impact. We’re focused on bringing systems back online safely and investigating the incident. We understand the inconvenience and frustration this has caused and thank residents and our employees for their patience,” said Payne. “We’ll share an update as soon as we have more information.”
Ransomware group Payload is fairly new, having just come on the scene in February. It’s known to have breached at least 41 companies around the world to date, according to Ransomware.live, a free site operated by French cybersecurity expert and lecturer Julien Mousqueton.
Mousqueton monitors ransomware groups’ “data leak sites” in real time, lists newly published victims, identifies negotiation chats and dollar amounts initially requested. His site helps law enforcement, cybersecurity professionals, journalists and researchers.
The monitoring site discovered Payload’s “post” about the RM of Gimli on April 27. The post describes the municipality as a “local government district” that’s known for its “Icelandic heritage, recreational tourism and lakefront economy.” It’s accompanied by a file size of 69 GB and URLs for the victims to “start negotiations” with the group.
One of the Payload’s ransom notes states: “The next 72 hours will determine certain factors in the life of your company: the publication of the file tree, which we have done safely and unnoticed by all of you, and the publication of your company’s full name on our luxurious blog. NONE of this will happen if you contact us within this time frame and our negotiations are favorable.
“We are giving you 240 hours to: 1. familiarize yourself with our terms and conditions, 2. begin negotiations with us, 3. and successfully conclude them. The timer may be extended if we deem it necessary (only in the upward direction). Once the timer expires, all your information will be posted on our blog.”
The note goes on to warn its victims that contacting the “authorities” or “recovery agencies” will not help them. A set of instructions is provided as to how the victims can obtain up to three encrypted files of their data that Payload will then “decrypt” so that victims “understand that we can do it.”
Retired systems analyst and software engineer Bill Buckels said the RM of Gimli got hacked because its IT system is “hackable” and “exposed,” likely for the sake of user convenience.
The protection of privacy and IT system integrity — which should be “Job One” — are often compromised in favour of convenience, which includes allowing staff to log in to a company’s system from home or elsewhere.
Payload’s ransom notes invite their victims to negotiate and offer them a preview of the data they’ve stolen in order to compel the victim to pay for the destruction of the data and the restoration of their IT systems, he said.
“It looks like Payload is hacking their way around the world, including here in Manitoba with the RM of Gimli,” said Buckels, who looked over the group’s list of victims. “It appears they’re targeting companies that really need their data to function as a business.”
The ransom note was likely delivered via email to the RM of Gimli as its email system is still functioning.
The instructions provided by the hackers to verify proof of theft are not for an “average person or a municipal CAO to work with, but for an IT person” with an understanding of computer systems, he added.
“The ransom notes look like boilerplate form letters, and the hackers have fairly technical instructions about how to get hold of them. They also have an ID field that’s been left blank, and they likely assign an individual ID to each of their victims so the [victims] can download the hackers’ plug-in (app) and use that unique ID to log into the hackers’ system,” said Buckels. “Payload is basically saying, ‘We have your company in our hands.’”
The 69 GB file size could represent anything.
“The 69 GB is a blob of something,” said Buckels. “Whatever it is, it uses that much space. It could be a series of links to the [RM’s] data or it could be the data itself, I don’t know.”
Buckels said Payload could have gotten an RM of Gimli employee’s password via clickbait or have purchased on the dark web thousands of usernames and passwords previously stolen. Once in possession of the password, the hackers logged into the RM’s IT systems and locked staff out while they siphoned off data.
“Maybe they tried every municipality and Gimli was the only one that didn’t close its front door. And isn’t that what the problem is here — The RM didn’t close its front door? They have no choice but to pay these hackers even though they have no guarantee the hackers won’t come back at them next week and say, ‘We stole your data again because you’re IT incompetent,’” said Buckels.
“There are millions of hackers and they’re all different. What they all have in common is a list of systems they want to get into. Hackers will also employ young budding hackers, basically kids, to go shop around the world on the internet for front-door logins, and they’ll find a bunch of IT systems that are not very secure. Then they’ll bargain with other cybercriminals, who’ll say, ‘I’ll give you 50 systems that aren’t secure, buddy.’ Gimli could have been in that bundle. Hackers will sell so many systems for $500 or whatever. Then other hackers will go to work getting the data.”
The hackers will likely analyze what ratio of victims will pay up and target those that “really need” their client data to operate.
As the RM hasn’t indicated what kind of data was stolen, Buckels said he’s guessing that it could be ratepayer information — personal details affiliated with sewer and water payments or property tax — as well as employee records.
“It’s valuable data for sure. What the RM of Gimli needs to do is offer residents credit-monitoring protection,” said Buckels. “You as a victim are obligated to take what’s offered because if you decided to sue a company later for allowing your data to be accessed or you become part of a class-action lawsuit, the court will want to see that you’ve taken the proper steps and did your due diligence.”
Given the non-stop proliferation of governments and companies seeing clients’ highly sensitive personal data going flying out their door, Buckels said the IT industry needs to start building robust and secure systems again rather than convenient systems that allow people to work remotely.
“The IT systems of old used to be fortresses. We’re living in a networked world now and we need to be more discreet about what we’re doing online and how we’re doing it. We’re surrounded by hackers and we’re being careless because we’ve been taught to value convenience,” said Buckels.
“And the industry needs to bring back information-hiding; no company should be allowed to have client data sitting on a server linked to the internet — and be able to send huge chunks of data flying across the internet. It doesn’t pay to hack one guy; hackers are looking for large amounts of data to steal. Everybody needs to keep a small covered manhole instead of a gaping tunnel that a school bus can drive through.”
It also wouldn’t hurt to “take people aside and make them prove they’re qualified to use a computer” in order to avoid “mistakes” such as using weak passwords or the same password across multiple applications, and having them think twice before they click any link.
When asked how the public can force IT developers to keep us safe from hackers, Buckels said that if they “can’t build secure systems, we shouldn’t use their system. If I drive a car recklessly, I’ll get my licence taken away. That’s what should happen to developers that fail to keep us safe.”
The RM of Gimli is not the only municipality in the province that’s been hacked. Manitoba’s Auditor General Tyson Shtykalo released a report last year, reviewing allegations of cybersecurity breaches in several municipalities.
The RM of Westlake-Gladstone had over $472,000 stolen in unauthorized withdrawals between 2019 and 2020 via unauthorized access to its online banking account.
“Cybersecurity threats are one of the biggest risks organizations face, due to the growing reliance on technology (including widespread adoption of cloud-based storage and artificial intelligence),” said Shtykalo. “It is critical for organizations of all sizes to act appropriately to ensure they are resilient to cybercrime, which could have financial and privacy impacts.”
Buckels said he wants to know if the RM of Gimli has followed the auditor general’s advice.
“We will find that out in the days ahead if our local politicians are honest with us and realize that the public has a right to know,” he said.
