Alert - Renewed Cyber Threats to Canadian Health Organizations

Number: AL20-026
Date: 30 October 2020


This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.


An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.


On 28 October 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a Joint Cybersecurity Advisory [1] to highlight credible information regarding an imminent and increased threat to the United States healthcare and public health sectors. The Cyber Centre assesses that this threat extends to Canadian healthcare providers.


Coinciding with the Joint Cybersecurity Advisory was the publication on 28 October 2020, by FireEye, [2] of information regarding campaigns against various organizations, including hospitals and medical centres. Specifically, the FireEye report highlighted tactics, techniques, and procedures employed by the threat actors in these campaigns, as well as campaign indicators.

The COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations when involved in the national response to the pandemic, including but not limited to medical care, research, manufacturing, distribution and policy-making organizations. Specifically:

  • Sophisticated threat actors may attempt to steal the intellectual property (IP) of organizations engaged in research and development related to COVID-19, or sensitive data related to Canada’s response to COVID-19; and
  • Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extort ransom payments or mask other compromises.


The impact of ransomware on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more severe than in a non-crisis environment. It is therefore recommended that organizations take extra precautions in identifying, as early as possible, potential vulnerabilities and inadequate security controls that may lead to an infection resulting in ransomware being deployed. The Cyber Centre strongly advises that all organizations become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to back-up infrastructure.

Malicious Actor Tool Evolution

On 4 October, the Cyber Centre reported on the deployment of Ryuk ransomware [3] within Canada, the final stage of exploitation after a victim’s systems have been compromised of tools such as Trickbot. More recently, researchers have identified that malicious actors have begun using new tools and techniques in order to compromise victims more covertly and to deploy ransomware such as Conti, often cited as the successor of Ryuk ransomware.

The first of these tools is BazarLoader, which plays a similar role as Trickbot while being more covert. Like Trickbot, BazarLoader has been observed being used for initial compromise, typically via a phishing email, and providing a backdoor through which additional malware is introduced to the network. BazarLoader appears to be the new preferred vector when a high-value target is being pursued, possibly due to the high detection rates of Trickbot.

Once access to the network is established, Anchor is used to maintain a presence on the network. The Anchor project consists of a framework of tools that allows the actors to leverage multiple methods of malicious activity against higher-profile victims.  This framework is designed to covertly upload tools, and, when complete, to remove evidence of malicious activity. Like BazarLoader, Anchor appears to have close ties to Trickbot.


In view of these threats, the Cyber Centre recommends that all Canadian health organizations involved in the national response to the pandemic take appropriate measures to ensure that they are actively engaged in cyber defense best practices.

Special consideration should be given to the following publications for guidance:


Joint US Cyber Security Alert AA20-302A IOCs [1]:

Abuse.CH Trickbot C2 tracker:

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser - UNC1878 Indicators [2]:

Ryuk Ransomware: Extensive Attack Infrastructure Revealed:


[1] Joint Cybersecurity Advisory - Ransomware Activity Targeting the Healthcare and Public Health Sector (AA20-302A):

[2] FireEye Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser:

[3] Ryuk Ransomware Campaign:

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Should organizations identify activity associated to that described in this Alert, recipients are encouraged to contact the Cyber Centre by email ( or by telephone (1-833-CYBER-88 or 1-833-292-3788).

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: