Ransomware

Ransomware is the most common cyber threat Canadians face and it is on the rise.

During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.

Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.

Basic cyber security practices would prevent the vast majority of ransomware incidents in Canada.

This page offers resources from the Cyber Centre to help Canadians and Canadian organizations understand the ransomware threat and take action to protect themselves.

Open letter to Canadian organizations about ransomware

RE: Protecting yourself from the threat of ransomware

December 6, 2021

Fellow Canadians,

Since the beginning of the COVID-19 pandemic, we have all been reminded of how crucial the internet is to our way of life. More and more of us have been working and studying from home and conducting business online, and it is therefore more important than ever that we take steps to remain cyber safe.

Across the world, we have seen a marked rise in the volume and range of cyber threats – and Canada is no exception. This includes a surge in ransomware incidents – a tactic wherein threat actors deny access to an organization’s most important informational or vital systems until organizations pay the threat actor, usually in digital currency. This year, we have seen a growing number of ransomware threats targeting Canadian small and medium-sized businesses, health care organizations, utility organizations, and municipalities.

There is, however, good news. By adopting basic but appropriate cyber security practices, we can all help stop the vast majority of cyber incidents targeting Canadians.

You, and your organization, are not alone.

The Communications Security Establishment’s Canadian Centre for Cyber Security (the Cyber Centre) and the Royal Canadian Mounted Police (RCMP) urge all Canadian organizations and businesses to take steps to review and strengthen the cyber security of your networks, systems, and information – and we are here to help.

Together with law enforcement agencies, and other federal and international partners, we are working hard to make threat information more publicly available and provide you with specific advice and guidance to help you stay safe from the impacts of ransomware. Canada is also working closely with our allies to pursue cyber threat actors and disrupt their capabilities. We are also assisting in the recovery of organizations compromised by ransomware, and helping them to be more resilient going forward.

To keep yourselves and all Canadians safe, we’re asking you to take action. Our national cyber security must involve efforts from industry partners, small and medium sized businesses, and all Canadians. Our message is clear: taking basic steps to ensure your organization’s cyber security will pay swift dividends.

Taking action is worth it.

To assist your organization, the Cyber Centre has published best practice guidelines. As Canada’s national technical authority for cyber security, the Cyber Centre provides extensive advice and recommended IT actions to organizations to help mitigate the threat of ransomware. Canadian organizations should invest in these inexpensive but effective baseline cybersecurity controls to limit their exposure to cyber attacks. You can refer to the Ransomware Playbook for specific advice. Once you have implemented these practices, we encourage you to register with the CyberSecure Canada program, thus attesting to your cyber security status and certifying that protective measures are in place.

If your organization is threatened with or falls victim to ransomware, you should implement your recovery plan, seek professional cyber security assistance, and immediately report the incident to the Cyber Centre’s online portal as well as your local police. Timely reporting is critical to help us identify the threat vector and update our guidance, make linkages across separate incidents, launch law enforcement investigations and take action against cybercriminals, and ultimately reduce the risk to other Canadians.

It’s time to think seriously about cyber security. We urge you to take stock of your organization’s online operations, protect your important information and technologies with the latest cyber security measures, build a response plan, and ensure that your designated IT security personnel are well-prepared to respond to incidents.

Your government is here to help.

Together, we can make Canada the most cyber secure place to conduct business and other activities online.

Sincerely,

The Honourable Anita Anand, PC, MP
Minister of National Defence

The Honourable Marco E. L. Mendicino, PC, MP
Minister of Public Safety

The Honourable Bill Blair, PC, MP
Minister of Emergency Preparedness and President of the Queen’s Privy Council for Canada

The Honourable Mary F. Y. Ng, PC, MP
Minister of International Trade, Export Promotion, Small Business, and Economic Development

Where to report cyber crime

Canadian Centre for Cyber Security (Cyber Centre)

Canadian Anti-Fraud Centre or 1-888-495-8501

Additional resources

Ransomware Playbook

Cyber Threat Bulletin: The Ransomware Threat in 2021

Modern Ransomware and its Evolution

Cyber Security at Home and in The Office: Secure Your Devices, Computers, and Networks

Ransomware: How to Prevent and Recover

Report a cyber incident - Canadian Centre for Cyber Security

Report fraud and cybercrime – Canadian Anti-Fraud Centre

RCMP’s National Cybercrime Coordination Unit

Prevent Ransomware – Royal Canadian Mounted Police

Cyber Safety - Royal Canadian Mounted Police

Reports

Ransomware case study: the Conti group

This case study describes the typical methods of the Conti ransomware group, one the most prolific cybercriminal groups in operation.

Even by ransomware standards, Conti is regarded as one of the most ruthless and damaging gangs, frequently targeting hospitals, medical networks and other critical services.

In a typical attack Conti actors steal, encrypt and/or delete files. They also threaten to leak sensitive data if the ransom is not paid, a tactic known as “double extortion.”

A typical Conti ransomware attack takes place in four stages: reconnaissance, intrusion, infection and impact.

Long description follows
Long description - Stage 1: Reconnaissance

Conti actors gather information to identify high-value targets such as hospitals and other organizations that provide essential services or hold sensitive data. They use Internet searches, system scans and information shared on the Dark Web, such as stolen passwords or login credentials. Conti actors continue to gather information throughout the attack cycle to leverage greater ransoms and to ensure payment is not withheld. Footnote 1

 
Long description follows
Long description - Stage 2: Intrusion

Conti actors typically gain illicit access to the victim’s system either through stolen credentials or through spear phishing emails containing malicious attachments or links. Unlike generic phishing attempts, spear phishing emails are personalized to the recipient, making them more convincing.

Often the malicious attachment appears to be a regular file type, such as Word, Excel or PDF, but when the victim opens it, malware, such as TrickBot, IcedID, or BazarLoader, downloads and executes on their device.

 
Long description follows
Long description - Stage 3: Infection

Once the first device is infected with malware, Conti actors will often install Cobalt Strike software as a command and control (C2) mechanism to coordinate the next phase of the attack.

They exploit unpatched vulnerabilities and often use tools already available on the victim network to gain persistent access.

They use remote execution software (such as PSExec and Remote Desktop Protocol) to move laterally across the victim network, obtaining credentials and escalating privileges without triggering anti-virus software.

This process allows them to spread the infection to all connected devices on the network.

 
Long description follows
Long description - Stage 4: Impact

At this point, the Conti actors deploy the ransomware, exfiltrating (stealing), deleting or encrypting the victim's sensitive data.

They employ a double extortion technique in which they demand a ransom to restore the encrypted data, while threatening to leak it publicly if the ransom is not paid. They may in fact have already deleted the data, but the victim does not know that.

 

Facts and figures

Since January 2020 Conti has leaked several hundred gigabytes of data stolen in over 450 cyber attacks against Canadian and international organisations.Footnote 2 This is based on information from Conti’s own “Ransomware Leak Site”. We assume that many more victims have paid ransom without having their data published online.

Conti has publicly claimed to have compromised and stolen data from at least 24 Canadian victims so far in 2021. More than half of those belonged to the machinery, professional services, real estate, and specialty retail sectors.

As of September 2021, the Conti group’s average ransom payment is $373,902 USD. Footnote 3

Conclusion

The Conti group is one of the most sophisticated ransomware groups in operation. However, at every step of this process, there are cyber security tools and practices that can prevent or mitigate the impact of ransomware attacks.

You can find further resources on ransomware, including how to defend against it, on the Cyber Centre’s dedicated ransomware page.

Guidance for organizations

Guidance for all Canadians

Additional resources

Report a cyber incident

Reporting a cyber incident helps the Cyber Centre keep Canada and Canadians safe online. Your information will enable us to provide cyber security advice, guidance and services.

Get Cyber Safe

Get Cyber Safe is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.

 
Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: