Cybercrime as-a-service , DDoS Protection , Fraud Management & Cybercrime

Hackers Demand $770,000 Ransom From Canadian Banks

Cybercrime: FBI Says Ransomware, Extortion Continue to Dominate
Hackers Demand $770,000 Ransom From Canadian Banks
Bank of Montreal head office in Montréal. (Photo: DXR, via Wikimedia Commons)

Hackers have demanded a ransom of 1 million Canadian dollars ($770,000) each from two banks, payable in the cryptocurrency exchange system Ripple's XRP token, national Canadian broadcaster CBC News reports.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

The ransom demand comes on the heels of the Bank of Montreal, operating as BMO Financial Group, and Simplii Financial, a banking subsidiary of the Canadian Imperial Bank of Commerce, on Monday reporting that they'd been warned that some of their client data may have been exposed on Sunday (see Two Canadian Banks Probe Alleged Exposure of Customer Data).

Neither bank commented to Information Security Media Group about how they learned about the alleged data breach, which both say they're investigating. BMO is Canada's fourth largest bank by assets and may have had 50,000 customer details exposed. CIBC is the country's fifth largest bank and may have had 40,000 customer details exposed.

"We warned BMO and Simplii that we would share their customers informations if they don't cooperate," reads an email from the purported thieves, CBC News reported on Wednesday.

In the email, which CBC reports was of Russian origin, the hackers claim they used an algorithm to generate authentic account numbers, which enabled them to pose as legitimate accountholders and begin a "lost password" process that enabled them to reset security questions and gain access to accounts.

"They were giving too much permission to half-authenticated account which enabled us to grab all these information," according to the email, which said each bank "was not checking if a password was valid until the security question were input correctly."

Hackers set a deadline to receive the ransom payment. "These ... profiles will be leaked on fraud forum and fraud community as well as the 90,000 left if we don't get the payment before May 28 2018 11:59PM," the email said.

It's not clear if attackers have followed through on that threat.

Report: Stolen Data Appears Legitimate

CBC News said attackers shared details they obtained from two breached accounts - one at each bank - and that it was able to verify with both Canadian accountholders that the shared account information was genuine.

The cryptocurrency wallet into which attackers demanded the banks transfer their ransoms already had $3.9 million worth of XMR in it, CBC News reports, or the equivalent of five times the attackers' ransom demand to the banks.

Earlier this week, a Simplii spokesman declined to comment to ISMG about whether attackers had demanded a ransom from the bank, "except to say that it is our practice not to pay ransom demands."

BMO has not responded to multiple requests for comment from ISMG. But the bank told CBC News: "Our practice is not to make payments to fraudsters."

Recommendation: Never Pay

Law enforcement and information security experts have long urged organizations to never pay ransoms, since it directly funds criminals, encourages attackers to continue, attracts new criminal operators and also pays for ongoing research and development (see Ransomware: Is It Ever OK to Pay?).

Experts say organizations that pay a ransom make an easy mark, whether for the same crime gang to come back asking for more, or for others who spy an easy target.

At the same time, authorities in the U.S. and U.K., at least, have been clear: The choice of whether to pay is up to businesses. Legal experts in the U.S. have said that unless prosecutors could trace a payoff to terrorists, there is likely no legal way to punish businesses that pay ransoms or extortion demands.

FBI: Ransomware and Extortion Dominate

But the continuing prevalence of these types of attacks suggests that enough victims pay to make it worthwhile for attackers.

Indeed, the FBI says these types of rackets are one of the top two cybercrime schemes it's seeing today. "The main thing that keeps hitting is ransomware and extortion," said Special Agent Efrene G. Sakilayan, the FBI's assistant legal attaché to the U.K., at the "International Conference on Big Data in Cyber Security" in Edinburgh, Scotland, on Thursday. "That is the name of the game, that's why there is a billion dollars of bitcoins today."

Bitcoins and other cryptocurrency such as bitcoin cash, dash, ethereum, litecoin, monero and zcash, provide thieves with an easier way to monetize their extortion rackets, by giving victims a pseudonymous way to remit payments remotely (see Bitcoin's Reign on the Dark Web May Be Waning).

From a money laundering standpoint, using cryptocurrency wallets - including "tumbling" or "mixing" techniques that split cryptocurrency into smaller amounts and shuttle it between wallets - also make it more difficult for authorities to "follow the money" (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).

When Victims Pay

None of this would be possible - or necessary - if more organizations had better information security practices in place, and if they committed to never paying a ransom to attackers, even if it was less expensive than the alternative.

It's unclear how many organizations do pay ransoms, whether in response to threatened or in-progress distributed denial-of-service attacks, to try and forestall attackers from selling stolen data, to unlock systems infected with ransomware, or in response to some other online shakedown attempt.

Earlier this week, Associates in Psychiatry & Psychology, a mental health clinic located in Rochester, Minnesota, told ISMG that it had paid a ransom to attackers after its systems were crypto-locked with "Triple-M" ransomware. The practice declined to say how much money it remitted to attackers.

Numerous other organizations have also admitted to paying a ransom in the hope that they'll get a working decryption key for crypto-locked systems, or that their attackers will honor promises to delete stolen data without dumping it online (see Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').

Cybercrime experts also say some proactive organizations continue to stockpile cryptocurrency, in case they need to make a rapid ransom payment (see Ransomware Extortion: A Question of Time).

All of this contributes to what appears to be a sufficient number of victims paying profit-focused cybercriminals enough in proceeds to make continuing to perpetrate these types of attacks worthwhile.

Or as the FBI's Sakilayan told the Edinburgh cybersecurity conference on Thursday: "As much as we tell people not to pay the ransom, people pay the ransom."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.