Parliamentary Committee Notes: Ransomware

Issue

Ransomware poses a significant cyber threat to our national security, economic prosperity and the personal safety of Canadians.

Proposed Response

Ransomware has become increasingly common and poses significant risk to governments, businesses, and individuals.

The impact of ransomware can be extensive, and often includes core business disruptions, data loss and potentially significant recovery costs. Ransomware incidents pose a significant threat to the continuity of critical services for Canadians, as evidenced by recent disruptions in the healthcare sector.

The Government of Canada will continue to work to protect Canadians from malicious cyber actors and the physical, economic, operational, and reputational damage of ransomware.

This includes the Government of Canada's introduction of a new critical cyber systems legislation, which would establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety and give the government a new tool to respond to emerging cyber threats.

This legislation emphasizes our commitment to protecting Canadians from cyber threats such as ransomware, and it can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.

The Government of Canada is also committed to collaborating with all levels of government and other domestic partners to share lessons learned and best practices for the development of ransomware policy and developing a coordinated response to ransomware threats.

Internationally, the Government of Canada is working with its allies to identify common issues, share potential solutions, and coordinate efforts to combat ransomware threats.

Of course, combatting ransomware is not just a government effort. Many cyber incidents are preventable. We must all do our parts to protect ourselves, our families, and our businesses from ransomware. There are trusted resources and partners to help you do this.

The Government of Canada encourages all victims who have experienced a ransomware incident to report it to law enforcement, through their local police services or to the RCMP through the Canadian Anti-Fraud Centre website.

Cyber incidents should also be reported to Canadian Centre for Cyber Security as soon as the incident is detected.

The Government of Canada strongly discourages paying ransom to cyber criminals because any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. There is no guarantee that cybercriminals will return your information, and your organization may be identified as a target for future cybercrime.

Background

Ransomware is defined by the Canadian Centre for Cyber Security (the Cyber Centre) as a type of malware (malicious software) that denies a user's access to files or systems until a sum of money is paid. It is the most common form of malware used for online extortion against Canada and Canadians.

The Cyber Centre's 2023-24 National Cyber Threat Assessment (NCTA) assesses that ransomware continues to be the most likely and most disruptive cyber threat activity to affect Canadians and Canadian organizations. Critical infrastructure is increasingly at risk from ransomware threat activity, with cybercriminals exploiting the fact that downtime of critical infrastructure can be harmful to industrial processes and Canadians that rely on its essential services. Ransomware is directed at Canadian organizations of all sectors and sizes, from large enterprises to small businesses. As society becomes more connected to the internet and reliant on digital infrastructure, malicious cyber actors are provided with a greater number of vectors that they can exploit to the detriment of Canada's national security, economic prosperity, and personal safety.

Since April 2021, the National Cybercrime Coordination Centre (NC3) has received over 2,000 requests for operational assistance from domestic and international law enforcement partners. From April 2021 to present, approximately 55% of NC3 requests with a Canadian nexus have involved ransomware. At the same time, cybercrime continues to go underreported to police. In 2021, only 10% of businesses affected by cybercrime reported the incidents to law enforcement. This means the actual rate of cybercrime in Canada is likely much higher than reporting statistics suggest. Correcting this trend will require action from various private and public institutions.

Evolving Threat Environment

The 2023-24 NCTA assesses that threat actors are developing more sophisticated techniques and tactics to target Canadian individuals and organizations. New technologies, such as decentralized finance and a flourishing market for cybercrime tools and services, have lowered the barrier to entry for cybercriminals. Ransomware-as-a-Service (RaaS) groups develop ransomware programs and provide troubleshooting services to other malicious cyber actors, enabling malicious cyber actors with little programming skill to participate in and profit from ransomware activity.

Given the ease with which ransomware transcends borders and jurisdictions, the international threat of ransomware poses challenges to investigating ransomware offences and identifying those responsible. As such, reporting is crucial as it can provide law enforcement with information that can help the victim, identify linkages and better enable the Government of Canada and Canadians to combat cybercrime. If an individual, business or organization experiences a cybercrime, scam or fraud, they should contact their local police immediately, and report the incident to the Canadian Anti-Fraud Centre (CAFC) online or toll-free at 1-888-495-8501. Local police services are best positioned to document the reported cybercrime, begin the investigation process and engage provincial or national policing resources such as the NC3, as required. Cybercrime can happen to anyone at any time. Victims should know that they are not alone and that by reporting the incident to law enforcement they can receive support and prevent further victimizations. In addition, the NC3 and the CAFC are currently working with law enforcement partners, industry, and cybercrime victims to build a new cybercrime and fraud reporting system, and make it easier for Canadians and businesses to report cybercrime and fraud incidents to law enforcement. Once fully in place, a victim or witness of a cybercrime or fraud, including ransomware incidents, will be able to use this system to report the crime online to law enforcement.

The Government of Canada (GC) strongly discourages paying ransom to malicious cyber actors. Any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. It is important to know that the payment of ransom:

offers no guarantee that your systems will be restored or that your data will not be sold;
may make you a recurring target;
encourages further malicious cyber activity against others;
may be used to fund organized criminal groups, terrorism or state-sponsored violence; and
could be found unlawful if the ransom payment is captured by laws against terrorism, money laundering, funding criminal organization activities, or is covered by sanctions legislation.

Government of Canada Response

The GC takes a comprehensive approach to countering-ransomware and is committed to ensuring that the cyber systems that underpin the daily lives of Canadians are resilient and secure. GC departments and agencies are working to reduce the threat of ransomware by investing in cyber security for GC systems, investigating, and providing advice to the GC on the national security threat of ransomware; targeting and disrupting cyber criminals; coordinating strategies with international allies; and issuing advice, guidance, and services for those affected by ransomware.

In 2018, Public Safety Canada (PS) released the National Cyber Security Strategy (NCSS). The NCSS provides a framework to protect GC systems, to extend the GC network of partnerships to help protect critical infrastructure, and to help Canadians to be safe online. The Government of Canada is currently in the process of creating a new NCSS. The new NCSS will describe the Government of Canada's ongoing and future efforts to enhance Canada's cyber security through national and international efforts. Through the new NCSS, the Government of Canada will continue to take strong action to protect and defend all people in Canada from cyber threats.

PS also developed the National Strategy for Critical Infrastructure (NSCI) with the purpose of building a safer, more secure and resilient Canada. The NSCI works toward this goal by setting the direction for enhancing the resiliency of critical infrastructure against current and emerging hazards. PS also administered a series of ransomware exercises and is currently designing a stakeholder exercise toolkit, which includes ransomware scenarios aimed at improving organizational response to a ransomware event. Additionally, PS and the Cyber Centre developed the Canadian Cyber Security Tool (CCST) to help critical infrastructure organizations assess their own cyber security quickly and easily, through holistic advice and guidance aimed at improving organizational cyber resiliency to threats such as ransomware. PS, in close collaboration with other government departments, provinces, territories, the private sector, and international allies, takes a leadership role in advancing cyber security in Canada.

The Cyber Centre produces ransomware-specific technical briefings and guidance for businesses and oversees national public awareness campaigns to inform Canadians about cyber security and the simple steps they can take to build resiliency. The Cyber Centre has developed a set of baseline cyber security controls and mitigation strategies for small and medium organizations. In addition, the Department of Innovation, Science and Economic Development Canada (ISED) supports efforts to improve the cyber security postures of small and medium sized originations via the cyber security guidance outlined in the Baseline Cyber Security Controls standard (CAN/CIOSC 104: 2021).This program is designed to improve cyber protections for the organization, its clients, and its partners. Alongside these efforts to inform and grow resiliency, the Cyber Centre and law enforcement engage in sustained operations to constrain ransomware operators' ability to interfere with GC systems and Canada's critical infrastructure.

The Cyber Centre has been leading the GC's efforts on the development of a ransomware communications campaign for Canadians and Canadian companies. This campaign included the release of new ransomware materials to the general public, including:

The 2023-2024 National Cyber Threat Assessment, which prominently includes information on ransomware;
An open letter from four Ministers to Canadian Organizations on protecting against ransomware;
A Cyber Threat Bulletin specifically outlining the threat of ransomware;
A Ransomware Playbook outlining prevention and response techniques for organizations;
Various advice and guidance articles;
A prominent landing page on the Cyber Centre's website (Cyber.gc.ca) to house all of its reports, advice and guidance related to ransomware; and
Social media posts releasing and amplifying the above products

Since Canada's Anti-Spam Legislation (CASL) came into force in 2014, it has continued to protect consumers and businesses from the misuse of digital technology, including ransomware. The Canadian Radio-television and Telecommunications Commission (CRTC) has the primary enforcement responsibility under CASL, and investigates, takes action against, and sets administrative monetary penalties for installing a computer program without express consent, such as when malware, ransomware, spyware or viruses are installed alongside computer programs, hidden in spam messages, or downloaded through links to infected websites. The CRTC and ISED, encourage Canadians to use the Spam Reporting Centre (SRC) to provide as much information as possible about potential CASL violations.

Two other organizations enforce CASL, the Competition Bureau and the Office of the Privacy Commissioner. The Competition Bureau can seek administrative monetary penalties or criminal sanctions under the Competition Act. The Office of the Privacy Commissioner also has powers under an amended Personal Information Protection and Electronic Documents Act (PIPEDA) related to ensuring the privacy of personal information and handling breaches. Also, ISED is the national coordinating body for CASL and the policy lead. Its role is to promote awareness of the law, educate consumers, network operators and small businesses, coordinate work with the private sector and conduct research and related policy work.

Where the RCMP serves as the local police of jurisdiction, it investigates cybercrime that falls under its jurisdiction and mandate. At the federal level, RCMP Federal Policing has the mandate and authority to investigate criminal activity involving the use of computer systems that result in a high economic or cross-jurisdictional impact and is of national interest to the domestic or international law enforcement community. This includes cybercrime directed against institutions of government, critical infrastructure of national importance, and key Canadian institutions and business assets. Investigations into these types of threat actors and tools are domestic and international in scope; it can include strategic disruptions, and can lead to charges in Canada or in a foreign jurisdiction. For example, during 2021 and 2022 the U.S. Federal Bureau of Investigation (FBI) and RCMP Federal Policing conducted parallel investigations into a NetWalker ransomware affiliate^{Footnote 1}. The RCMP investigation, led by the Federal Policing Cybercrime Investigative Team in Toronto, resulted in the execution of search warrants in Canada, the seizure of cybercrime tools and proceeds of crime ($34 million in Bitcoin and almost $700,000 in cash), charges laid against the accused, and the extradition of the accused to the U.S

As a National Police Service, the NC3 at the RCMP coordinates and supports ransomware and other cybercrime investigations in close collaboration with domestic and international law enforcement partners. For example, 2023 the NC3 participated in Project Dawnbreaker, a US-led and international law enforcement takedown of Hive ransomware infrastructure and domains, in collaboration with Peel Regional Police as the Canadian investigative lead. Of note, the NC3 facilitated the distribution of ransomware decryption capabilities provided by the FBI for Canadian organizational victims. These efforts directly saved millions of dollars in ransomware victim payments and prevented the victimization of Canadian organizations.

In another example from 2023, the NC3 participated in Operation Cookie Monster, a international takedown of Genesis Market. Genesis Market was a darknet cybercrime forum specializing in the sale and distribution of stolen credentials providing access to online accounts and services. At the time of takedown, Genesis Market had over 2 million stolen identities listed, making it one of the most significant global cybercrime facilitators. The takedown ultimately included 18 countries, and 79 distinct police actions within Canada alone, including arrests, seized assets and cease and desist actions. Due to the significant number of distinct police actions in the province of Quebec, Sûreté du Québec was a leading investigative organization in this effort. These operational examples demonstrate the necessity for law enforcement to work together, share information and pool resources to combat ransomware and other cybercrime threats in today's digital era.

Given that ransomware is transnational, strong international cooperation is needed to address the threat of ransomware. Internationally, Canada works collaboratively with likeminded partners, including the Five Eyes, to combat the threat of ransomware by actively sharing lessons learned and, as appropriate, more closely aligning policies, activities, public messaging, and industry engagement. For example, PS is currently engaged with the Counter Ransomware initiative (CRI), a U.S. – led initiative that provides an informal government-to-government mechanism for over 60 members to improve international cooperation to counter ransomware. At the 2023 CRI Summit, Canada and 43 other members endorsed the first-ever joint policy statement declaring that relevant institutions, under the authority of national governments, should not pay ransoms and strongly discourage anyone from paying a ransomware demand. Additionally, the RCMP works with the FBI, the United Kingdom's National Crime Agency, the Dutch National High-Tech Crime Unit, Europol and the US-based National Cyber-Forensics and Training Alliance to advance efforts to combat ransomware.

Canada has also supported allies on multiple occasions with regard to public attributions against malicious activities including ransomware. These include high profile ransomware incidents, such as: WannaCry in 2017 and NotPetya in 2018. Publicly calling out perpetrators of malicious cyber activities holds threat actors to account and contributes to the deterrence of future attempts and incidents.

Footnotes

Footnote 1

NetWalker is a sophisticated form of ransomware that has targeted dozens of victims all over the world, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. NetWalker affiliates specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims. NetWalker was created by a Russian-speaking group of hackers and operates as a “ransomware-as-a-service” product. It stood out from other ransomware variants because of its ransomware-as-a-service model, wherein affiliates rent access to the continuously updated malware code in exchange for a percentage of any funds extorted from victims. NetWalker developers created the malware and affiliates were recruited to use it to target victims and demand ransoms paid in cryptocurrency.

Return to first footnote 1 referrer

Date modified:: 2025-03-03

Language selection

Search and menus

Search