Behind closed doors at Hamilton’s city hall, staff are in emergency mode, scrambling to respond to a ransomware attack that’s disabled dozens of services for over a week.
Few details have been released about the attack on Hamilton’s computer systems. The situation is ongoing and therefore “sensitive,” both the mayor and city manager have previously told reporters.
But CBC Hamilton spoke to four experts who said the impacts are likely extensive.
“What we’re observing in Hamilton is serious,” said McMaster University Prof. Andrea Zeffiro, an expert in critical data studies.
Although the city’s emergency and water services have been spared, many other systems residents rely on like accessing WiFi at the public library, paying for services online or with debit or credit cards and calling programs and staff are not possible for the second week in a row. Some city workers, such as bus drivers, have had to go without computerized aids. Council committee meetings have been paused.
There’s also no timeline for when services will be restored.
Attackers are ‘adapting their tactics’
Ransomware is a type of malicious software that “denies a user’s access to a system or data until a sum of money is paid,” according to the Canadian Centre for Cyber Security.
Ransomware attacks are likely the most disruptive form of cyber crime and have the power to render entire systems useless, destroy vast amounts of data and be costly, complicated and lengthy to recover from, according to the agency’s national report for 2024.
While the experts CBC Hamilton interviewed this week don’t know the behind-the-scenes details about the Hamilton attack, they shared insights based on other municipalities’ experiences.
“The ways attacks are carried out are constantly changing,” Zeffiro said.
“These groups are adapting their tactics in response to security measures and even organizations with really good data security are susceptible.”
Municipalities becoming common targets
What experts do know is attacks are often co-ordinated by criminal organizations with links to Western adversaries like Russia, North Korea, Iran and China, said Kush Sharma, a director at Municipal Information Systems Association (MISA) Ontario.
The attackers look for targets where they can shut down services or steal personal information so they have ample leverage when they demand payment.
“Municipalities in Canada are actually housing some of the most critical infrastructure in the country — water systems, transportation, solid waste, elections, emergency services,” Sharma said.
It’s unclear exactly how many cities and towns have been hit, as they’re not required to report every breach to one centralized body, Sharma said.
Based on a 2023 MISA Ontario’s survey, approximately nine per cent of municipalities have faced a “significant cyber breach” in the past two years.
It took up to a month to recover critical systems and the initial ransom requests ranged from less than $50,000 to over $1 million depending on the size of the municipality, the research suggests.
That’s making them increasingly common targets, he said.
For the attackers themselves, it’s about the money, said Calvin Chrustie, a critical risk consultant. For the countries they’re linked to, it’s about disruption.
“When you’re seeing city halls, and provincial and federal governments getting hit, it could be purely to create chaos and disruptions within Western democratic systems,” said Chrustie, also a former RCMP senior operations officer who specialized in transnational organized crime.
The most common way for attackers to get malicious software into municipal systems is by tricking an employee into handing over credentials, said Sharma.
One common way is through phishing emails or texts, which look like legitimate requests to provide passwords and other information, but are actually fraudulent, he said.
Then the attackers wait, sometimes months, and gradually gain access to more of the IT system until they are ready to deploy the ransomware, Sharma said.
In Hamilton’s case, city manager Marnie Cluckie has said staff don’t believe personal data has been accessed.
But the attackers could’ve encrypted system data, meaning staff would be seeing “mumble jumble” on their computer screens, said Sharma. They’d be demanding payment in exchange for a key that restores the systems.
Should the ransom be paid?
Once a breach is discovered, the impacted organization deploys a “flood” of experts to protect unimpacted databanks, mitigate the damage and restore services, Chrustie said.
When it comes to whether or not to pay the attackers, there’s no uniform strategy and every case is different, said Chrustie. However, he generally says it’s a bad idea. Not only is there no guarantee the data or systems will be restored, but it also incentivizes the attackers to do it again.
“What [paying] often does is fuel and perpetuate and bankroll cyber attacks on your next door neighbours,” he said.
Former Stratford, Ont. Mayor Dan Mathieson, now a senior adviser at Toronto Metropolitan University’s Rogers Cybersecure Catalyst institute, said when his city was attacked in 2019, it wasn’t that simple.
Police strongly advised against meeting the approximately $75,000 demand, Mathieson said. But Stratford’s insurance company told them to make the payment, which would be covered under its policy.
On the other hand, the insurance company said, if the city didn’t pay, and instead opted to rebuild their database from scratch, it wouldn’t cover those expenses, according to Mathieson.
“Do I want the insurance money and get my problem fixed and move on?” Mathieson said. “Or do I want to stand on principle like the police want me to do? Municipalities are left with these real deep conversations about what’s acceptable [and] what isn’t.”
The city ended up paying the ransom and the system was back up and running in less than a month, Mathieson said.
Hamilton renewed its cyber insurance with Gallagher Canada and Marsh Canada earlier this year, according to a staff report. The premium in 2023 cost the city $457,000.
Cluckie, the city manager, has said the city is currently working with its insurers, as well as legal counsel and cybersecurity experts from a company called Cypfer, and has notified police.
A lengthy recovery expected
Regardless of whether or not the ransom is paid, it can take as long as a year for a municipality to fully rebuild the IT infrastructure to arm it against future attacks, said Sharma. The cost to rebuild is usually upwards of a million dollars.
Right now, each Canadian municipality is in charge of storing and protecting their data, and deciding how to handle breaches, despite having limited funding and expertise.
“We spend all this time talking about how we want to bring services online, make them more efficient and be open to people,” Mathieson said.
“But at the end of the day, the foundation is really at risk because if we don’t have the right security systems in place, we’re going to have a problem.”
Mathieson and other experts are calling for a more co-ordinated strategy run through provincial or federal governments, such as a centralized — and heavily protected — database or response centre.
Ontario’s Ministry of Public Business Service Delivery is building relationships with municipalities and other organizations to improve cybersecurity through education, said spokesperson Joey Wu.
The province is “dedicated to protecting Ontarians and their data,” Wu said.