Ransomware is the most common cyber threat Canadians face and it is on the rise.
During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.
Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.
Basic cyber security practices would prevent the vast majority of ransomware incidents in Canada.
This page offers resources from the Cyber Centre to help Canadians and Canadian organizations understand the ransomware threat and take action to protect themselves.
Open letter to Canadian organizations about ransomware
RE: Protecting yourself from the threat of ransomware
December 6, 2021
Since the beginning of the COVID-19 pandemic, we have all been reminded of how crucial the internet is to our way of life. More and more of us have been working and studying from home and conducting business online, and it is therefore more important than ever that we take steps to remain cyber safe.
Across the world, we have seen a marked rise in the volume and range of cyber threats – and Canada is no exception. This includes a surge in ransomware incidents – a tactic wherein threat actors deny access to an organization’s most important informational or vital systems until organizations pay the threat actor, usually in digital currency. This year, we have seen a growing number of ransomware threats targeting Canadian small and medium-sized businesses, health care organizations, utility organizations, and municipalities.
There is, however, good news. By adopting basic but appropriate cyber security practices, we can all help stop the vast majority of cyber incidents targeting Canadians.
You, and your organization, are not alone.
The Communications Security Establishment’s Canadian Centre for Cyber Security (the Cyber Centre) and the Royal Canadian Mounted Police (RCMP) urge all Canadian organizations and businesses to take steps to review and strengthen the cyber security of your networks, systems, and information – and we are here to help.
Together with law enforcement agencies, and other federal and international partners, we are working hard to make threat information more publicly available and provide you with specific advice and guidance to help you stay safe from the impacts of ransomware. Canada is also working closely with our allies to pursue cyber threat actors and disrupt their capabilities. We are also assisting in the recovery of organizations compromised by ransomware, and helping them to be more resilient going forward.
To keep yourselves and all Canadians safe, we’re asking you to take action. Our national cyber security must involve efforts from industry partners, small and medium sized businesses, and all Canadians. Our message is clear: taking basic steps to ensure your organization’s cyber security will pay swift dividends.
Taking action is worth it.
To assist your organization, the Cyber Centre has published best practice guidelines. As Canada’s national technical authority for cyber security, the Cyber Centre provides extensive advice and recommended IT actions to organizations to help mitigate the threat of ransomware. Canadian organizations should invest in these inexpensive but effective baseline cybersecurity controls to limit their exposure to cyber attacks. You can refer to the Ransomware Playbook for specific advice. Once you have implemented these practices, we encourage you to register with the CyberSecure Canada program, thus attesting to your cyber security status and certifying that protective measures are in place.
If your organization is threatened with or falls victim to ransomware, you should implement your recovery plan, seek professional cyber security assistance, and immediately report the incident to the Cyber Centre’s online portal as well as your local police. Timely reporting is critical to help us identify the threat vector and update our guidance, make linkages across separate incidents, launch law enforcement investigations and take action against cybercriminals, and ultimately reduce the risk to other Canadians.
It’s time to think seriously about cyber security. We urge you to take stock of your organization’s online operations, protect your important information and technologies with the latest cyber security measures, build a response plan, and ensure that your designated IT security personnel are well-prepared to respond to incidents.
Your government is here to help.
Together, we can make Canada the most cyber secure place to conduct business and other activities online.
The Honourable Anita Anand, PC, MP
Minister of National Defence
The Honourable Marco E. L. Mendicino, PC, MP
Minister of Public Safety
The Honourable Bill Blair, PC, MP
Minister of Emergency Preparedness and President of the Queen’s Privy Council for Canada
The Honourable Mary F. Y. Ng, PC, MP
Minister of International Trade, Export Promotion, Small Business, and Economic Development
Where to report cyber crime
Canadian Centre for Cyber Security (Cyber Centre): https://www.cyber.gc.ca/en/incident-management
Canadian Anti-Fraud Centre: 1-888-495-8501 or https://www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm
Ransomware case study: the Conti group
This case study describes the typical methods of the Conti ransomware group, one the most prolific cybercriminal groups in operation.
Even by ransomware standards, Conti is regarded as one of the most ruthless and damaging gangs, frequently targeting hospitals, medical networks and other critical services.
In a typical attack Conti actors steal, encrypt and/or delete files. They also threaten to leak sensitive data if the ransom is not paid, a tactic known as “double extortion.”
A typical Conti ransomware attack takes place in four stages: reconnaissance, intrusion, infection and impact.
Long description - Stage 1: Reconnaissance
Conti actors gather information to identify high-value targets such as hospitals and other organizations that provide essential services or hold sensitive data. They use Internet searches, system scans and information shared on the Dark Web, such as stolen passwords or login credentials. Conti actors continue to gather information throughout the attack cycle to leverage greater ransoms and to ensure payment is not withheld. Footnote 1
Long description - Stage 2: Intrusion
Conti actors typically gain illicit access to the victim’s system either through stolen credentials or through spear phishing emails containing malicious attachments or links. Unlike generic phishing attempts, spear phishing emails are personalized to the recipient, making them more convincing.
Often the malicious attachment appears to be a regular file type, such as Word, Excel or PDF, but when the victim opens it, malware, such as TrickBot, IcedID, or BazarLoader, downloads and executes on their device.
Long description - Stage 3: Infection
Once the first device is infected with malware, Conti actors will often install Cobalt Strike software as a command and control (C2) mechanism to coordinate the next phase of the attack.
They exploit unpatched vulnerabilities and often use tools already available on the victim network to gain persistent access.
They use remote execution software (such as PSExec and Remote Desktop Protocol) to move laterally across the victim network, obtaining credentials and escalating privileges without triggering anti-virus software.
This process allows them to spread the infection to all connected devices on the network.
Long description - Stage 4: Impact
At this point, the Conti actors deploy the ransomware, exfiltrating (stealing), deleting or encrypting the victim's sensitive data.
They employ a double extortion technique in which they demand a ransom to restore the encrypted data, while threatening to leak it publicly if the ransom is not paid. They may in fact have already deleted the data, but the victim does not know that.
Facts and figures
Since January 2020 Conti has leaked several hundred gigabytes of data stolen in over 450 cyber attacks against Canadian and international organisations.Footnote 2 This is based on information from Conti’s own “Ransomware Leak Site”. We assume that many more victims have paid ransom without having their data published online.
Conti has publicly claimed to have compromised and stolen data from at least 24 Canadian victims so far in 2021. More than half of those belonged to the machinery, professional services, real estate, and specialty retail sectors.
As of September 2021, the Conti group’s average ransom payment is $373,902 USD. Footnote 3
The Conti group is one of the most sophisticated ransomware groups in operation. However, at every step of this process, there are cyber security tools and practices that can prevent or mitigate the impact of ransomware attacks.
You can find further resources on ransomware, including how to defend against it, on the Cyber Centre’s dedicated ransomware page.
Guidance for organizations
Guidance for all Canadians
- Baseline cyber security controls for small and medium organizations
- Cyber security at home and in the office - secure your devices, computers, and networks (ITSAP.10.00.007)
- Cyber security considerations for consumers of managed services (ITSM.50.030)
- Developing your incident response plan (ITSAP.40.003)
- Developing your IT recovery plan (ITSAP.40.004)
- Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104)
- Have you been hacked? (ITSAP.00.015)
- How updates secure your device (ITSAP.10.096)
- Internet of Things Security for Small and Medium Organizations (ITSAP.00.012)
- Offer tailored cyber security training to your employees (ITSAP.10.093)
- Preventative security tools (ITSAP.00.058)
- Protect your organization from malware (ITSAP.00.057)
- Protecting your organization when using Wi-Fi (ITSAP.80.009)
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Tips for backing up your information (ITSAP.40.002)
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)
Report a cyber incident
Reporting a cyber incident helps the Cyber Centre keep Canada and Canadians safe online. Your information will enable us to provide cyber security advice, guidance and services.
Get Cyber Safe
Get Cyber Safe is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.