Cyberattacks like U of C ransomware case easy to launch, security expert warns

It doesn't take a much skill to pull off a ransomware attack like the one that cost the University of Calgary $20,000, warnsa cyber-security expert.

"They don't need a lot of skill these days.They can go into the dark web, they can buy the kits.They don't need a lot of expertise,"said Kathy Macdonald, who spent 25 years as a police officer15 of those working in cyber security and safety.

She said there's step-by-step instructions on the web andpeople whowill givelessons.

"Because they're using Bitcoin, a virtual currency that for the most part is practically impossible to track, they get away.They disappear into the ether."

• U of C ransom payout better than battling hackers, expert says
• Ransomware: What you need to know

Hackers managed to infect the U of C computer system with ransomware last week, effectively holding staff and faculty email access hostage until a $20,000 ransom was paid.

"When it happened, I was at the anti-phishing working group conference in Toronto and that's exactly what we were talking about was ransomware and spearphishing and phishing because it is big business.It's very prolific," said Macdonald.

"When I was in Toronto I ran into a couple of people, individuals, who had actually paid the ransom."

She said it affectsindividuals tosmall- andmedium-sized companies tolarge institutions like hospitals, universities andgovernment agencies.

Finding out who is behind the attacks isn't always possible.

"There are wide gaps in these kinds of investigations," said Macdonald.

"Police are always behind the eight-ball because they have to work trans-nationally, [cyber criminals] areall over the world and it's very difficult to track and trace these people."

Education the key

Having proactive computer policies in place is one defence againstan attack.

"Really, prevention and being proactive is the best way to avoid this and reduce the risk," said Macdonald.

"User education is by far one of the best things you can do, talking to employees about phishing and spear phishing and just explaining what the behaviour entails."

Phishing and spear phishing is when hackers send emails to users, usually disguised as coming from someone they know, in an attempt to get the user to click a link thatallowsthe hackers access to the system.

"Usually it appears to come from somebody within the company or a friend or it's very casual sounding language that tricks the person to clicking on the link because they think they're supposed to," said Macdonald.

"They've been asked to do something, they've been invited to do something and it's very malicious from that standpoint."

Trust your gut

The best way to avoid clicking a bad link is to be skeptical.

"Pause, stop, read," said Macdonald.

"Ask yourself, 'Is this normal behaviour?Would somebody be sending it at this time of day?Is this their typical sounding language?' And if it's not, pick up the phone and ask the question, 'Did you send me this?'"