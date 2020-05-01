The Northwest Territories Power Corporation's (NTPC) website went down Thursday afternoon, but some pages show what appears to be a ransomware message from unknown hackers.

Some visitors to the MyNTPC website were greeted with a text page that begins with: "Hi! Your files are encrypted by Netwalker."

In a message apparently directed to a user in a position to physically shut down NTPC computers, the message goes on to state that no shutdown should be attempted as that could destroy data contained on the computer.

Instructions are included that direct the reader to download a "tor-browser," an internet browser that allows users to access what is sometimes called the dark web, in order to verify that decryption of files is possible by visiting a website and inputting a line of code.

The message does not explicitly state whether there is a ransom, or what it could be, but the offer to decrypt one file was advertised as "for free."

Ransomware is a type of malicious software that allows hackers to view a computer's files, gather information and spread through its network, unbeknownst to the user. The software then encrypts the files and the attackers demand payments from victims to release the data.

'The last thing we need'

Bogdan Stanciu, an IT professional, went to pay his NTPC bill online Thursday when he found the message.

"I was surprised. It sucks because with everything else going on, some crucial infrastructure being hit is the last thing we need," Stanciu said.

He added, "If they have backup, which they almost certainly do, they can just roll it back" unless the backups have been hacked as well.

Doug Prendergast, spokesperson for NTPC, confirmed that the company was experiencing "computer issues." When asked if this was a ransomware attack, Prendergast said its IT group was investigating and that there is "not enough information to reach conclusions."

He said updates would be posted to NTPC's Twitter and Facebook accounts.

In an email to CBC, Brett Callow, a threat analyst with anti-malware company Emsisoft, said he's aware of of Netwalker exploits against a U.S. health-care provider and the Toll Group, an Australian logistics firm.

Callow said that "it'll likely be more than the website that's affected."

"Ransomware generally does what it's supposed to do: encrypt data," Callow said. "In some cases, the encryption is not properly implemented enabling us to crack it, but that's not the case with NetWalker. It's secure."

Callow said NetWalker is also known as Mailto.

"I can't say how serious the attack may be," Callow added.

"The actors may have only been able to access the server that hosts the website, or they may have been able to penetrate further and encrypt other systems. In the Toll Group incident, the attack caused significant disruption and it took the company approximately six weeks to fully return to normal operations."

This is what some users saw when they visited the MyNTPC website on Thursday afternoon. The "Readme" document leads to what appears to be a ransomware note. (CBC)

A ransomware attack in Nunavut took the territorial government two weeks to recover from last November.

N.W.T. RCMP were not immediately available for comment.