Parliamentary Committee Notes: Ransomware

Bill C-26: An Act Respecting Cyber Security (Parliamentary Committee Binder)

Date: July 31, 2023
Classification: Unclassified
Fully releasable (ATIP)? Yes
Branch / Agency: NCSB / PS

Ransomware

Issue: Ransomware poses a significant cyber threat to our national security, economic prosperity and the personal safety of Canadians.

Proposed Response:

Ransomware has become increasingly common and poses significant risk to governments, businesses, and individuals.
The impact of ransomware can be extensive, and often includes core business disruptions, data loss and potentially significant recovery costs. In critical infrastructure sectors, such as health care, ransomware could cause physical harm to individuals or even result in loss of life.
The Government of Canada will continue to work to protect Canadians from malicious cyber actors and the physical, economic, operational, and reputational damage of ransomware.
This includes the Government of Canada's announced intention to introduce new critical cyber systems legislation, which would establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety and give the government a new tool to respond to emerging cyber threats.
This legislation emphasizes our commitment to protecting Canadians from cyber threats such as ransomware, and it can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
The Government of Canada is also committed to collaborating with all levels of government and other domestic partners to share lessons learned and best practices for the development of ransomware policy and developing a coordinated response to ransomware threats.
Internationally, the Government of Canada is working with its allies to identify common issues, share potential solutions, and coordinate efforts to combat ransomware threats.
Of course, combatting ransomware is not just a government effort. Many cyber incidents are preventable. We must all do our parts to protect ourselves, our families, and our businesses from ransomware. There are trusted resources and partners to help you do this.
The Government of Canada encourages all victims who have experienced a ransomware incident to report it to law enforcement, through their local police services or to the RCMP through the Canadian Anti-Fraud Centre website.
Cyber incidents should also be reported to Canadian Centre for Cyber Security as soon as the incident is detected.
The Government of Canada does not recommend paying ransom to cyber criminals because any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. There is no guarantee that cybercriminals will return your information, and your organization may be identified as a target for future cybercrime.

Ransomware Background:

Ransomware is defined by the Canadian Centre for Cyber Security (the Cyber Centre) as a type of malware (malicious software) that denies a user's access to files or systems until a sum of money is paid. It is the most common form of malware used for online extortion against Canada and Canadians.

The Cyber Centre's 2023-24 National Cyber Threat Assessment (NCTA) assesses that ransomware continues to be the most likely and most disruptive cyber threat activity to affect Canadians and Canadian organizations. Critical infrastructure is increasingly at risk from ransomware threat activity, with cybercriminals exploiting the fact that downtime of critical infrastructure can be harmful to industrial processes and Canadians that rely on its essential services. Ransomware is directed at Canadian organizations of all sectors and sizes, from large enterprises to small businesses. As society becomes more connected to the internet and reliant on digital infrastructure, malicious cyber actors are provided with a greater number of vectors that they can exploit to the detriment of Canada's national security, economic prosperity, and personal safety.

Since April 2021, the National Cybercrime Coordination Centre (NC3) has received over 2,000 requests for operational assistance from domestic and international law enforcement partners. From April 2021 to present, approximately 55% of NC3 requests with a Canadian nexus have involved ransomware. At the same time, cybercrime continues to go underreported to police. In 2021, only 10% of businesses affected by cybercrime reported the incidents to law enforcement. This means the actual rate of cybercrime in Canada is likely much higher than reporting statistics suggest. Correcting this trend will require action from various private and public institutions.

Evolving Threat Environment

The 2023-24 NCTA assesses that threat actors are developing more sophisticated techniques and tactics to target Canadian individuals and organizations. New technologies such as decentralized finance, as well as a flourishing market for cybercrime tools and services, have lowered the barrier to entry for cybercriminals. Ransomware-as-a-Service (RaaS) groups develop ransomware programs and provide troubleshooting services to other malicious cyber actors, enabling malicious cyber actors with little programming skill to participate in and profit from ransomware activity.

Given the ease with which ransomware transcends borders and jurisdictions, the international threat of ransomware poses challenges to investigating ransomware offences and identifying those responsible. As such, reporting is crucial as it can provide law enforcement with information that can help the victim, identify linkages and better enable the Government of Canada and Canadians to combat cybercrime. If an individual, business or organization experiences a cybercrime, scam or fraud, they should contact their local police immediately, and report the incident to the Canadian Anti-Fraud Centre (CAFC) online or toll-free at 1-888-495-8501. Local police services are best positioned to document the reported cybercrime, begin the investigation process and engage provincial or national policing resources such as the NC3, if and as required. Cybercrime can happen to anyone at any time. Victims should know that they are not alone and that by reporting the incident to law enforcement they can receive support and prevent further victimizations. In addition, the NC3 and the CAFC are currently working with law enforcement partners, industry, and cybercrime victims to build a new cybercrime and fraud reporting system, and make it easier for Canadians and businesses to report cybercrime and fraud incidents to law enforcement. Once fully in place, in 2023-2024, a victim or witness of a cybercrime or fraud, including ransomware incidents, will be able to use this system to report the crime online to law enforcement.

The Government of Canada (GC) does not recommend paying ransom to malicious cyber actors. Any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. It is important to know that the payment of ransom:

offers no guarantee that your systems will be restored or that your data will not be sold;
may make you a recurring target;
encourages further malicious cyber activity against others;
may be used to fund organized criminal groups, terrorism or state-sponsored violence; and
could be found unlawful if the ransom payment is captured by laws against terrorism, money laundering, funding criminal organization activities, or is covered by sanctions legislation.

Government of Canada Response

The GC takes a comprehensive approach to countering-ransomware and is committed to ensuring that the cyber systems that underpin the daily lives of Canadians are resilient and secure. GC departments and agencies are working to reduce the threat of ransomware by investing in cyber security for GC systems, investigating, and providing advice to the GC on the national security threat of ransomware; targeting and disrupting cyber criminals; coordinating strategies with international allies; and issuing advice, guidance, and services for those affected by ransomware.

Public Safety Canada (PS) led the development of the National Cyber Security Strategy (NCSS), which was published in 2018. The NCSS aims to provide a framework to protect GC systems, to extend the GC network of partnerships to help protect critical infrastructure, and to help Canadians to be safe online. PS also developed the National Strategy for Critical Infrastructure (NSCI) with the purpose of building a safer, more secure and resilient Canada. The NSCI works toward this goal by setting the direction for enhancing the resiliency of critical infrastructure against current and emerging hazards. PS also administered a series of ransomware exercises and is currently designing a stakeholder exercise toolkit and exercise program which includes ransomware scenarios aimed at improving organizational and national response to a ransomware event. Additionally, PS and the Cyber Centre, developed the Canadian Cyber Security Tool (CCST) to help critical infrastructure organizations assess their own cyber security quickly and easily, which includes holistic advice and guidance aimed at improving organizational cyber resiliency to threats such as ransomware. PS, in close collaboration with other government departments, provinces, territories, the private sector, and international allies, takes a leadership role in advancing cyber security in Canada.

The Cyber Centre produces ransomware-specific technical briefings and guidance for businesses and oversees national public awareness campaigns to inform Canadians about cyber security and the simple steps they can take to build resiliency. The Cyber Centre has developed a set of baseline cyber security controls and mitigation strategies for small and medium organizations. In addition, the Department of Innovation, Science and Economic Development Canada (ISED) supports efforts to improve the cyber security postures of small and medium sized originations via the cyber security guidance outlined in the Baseline Cyber Security Controls standard (CAN/CIOSC 104: 2021).This program is designed to improve cyber protections for the organization, its clients, and its partners. Alongside these efforts to inform and grow resiliency, the Cyber Centre and law enforcement engage in sustained operations to constrain ransomware operators' ability to interfere with GC systems and Canada's critical infrastructure.

The Cyber Centre has been leading the GC's efforts on the development of a ransomware communications campaign for Canadians and Canadian companies. This campaign included the release of new ransomware materials to the general public, including:

The 2023-2024 National Cyber Threat Assessment, which prominently includes information on ransomware;
An open letter from four Ministers to Canadian Organizations on protecting against ransomware;
A Cyber Threat Bulletin specifically outlining the threat of ransomware;
A Ransomware Playbook outlining prevention and response techniques for organizations;
Various advice and guidance articles;
A prominent landing page on the Cyber Centre's website (Cyber.gc.ca) to house all of its reports, advice and guidance related to ransomware; and
Social media posts releasing and amplifying the above products

Since Canada's Anti-Spam Legislation (CASL) came into force in 2014, it has continued to protect consumers and businesses from the misuse of digital technology, including ransomware. The Canadian Radio-television and Telecommunications Commission (CRTC) has the primary enforcement responsibility under CASL, and investigates, takes action against, and sets administrative monetary penalties for installing a computer program without express consent, such as when malware, ransomware, spyware or viruses are installed alongside computer programs, hidden in spam messages, or downloaded through links to infected websites. The CRTC and ISED, encourage Canadians to use the Spam Reporting Centre (SRC) to provide as much information as possible about potential CASL violations.

Where the RCMP serves as the local police of jurisdiction, it investigates cybercrime that falls under its jurisdiction and mandate. At the federal level, RCMP Federal Policing has the mandate and authority to investigate cybercrime that targets GC systems and networks, critical infrastructure sectors, and other significant cybercrime threats to Canadian businesses and citizens that may have a high economic impact or are directed on behalf of foreign states. Under the FP cybercrime mandate, the greatest impact is realized by conducting investigations to identify and target Cybercrime-as-a-Service, criminal networks conducting illicit activity in the cyber realm, and hostile foreign actors (state and non-state). Investigations into these types of threat actors and tools are domestic and international in scope, can include strategic disruptions, and can lead to charges in Canada, or in a foreign jurisdiction. For example, during 2021 and 2022 the U.S. Federal Bureau of Investigation (FBI) and RCMP Federal Policing conducted parallel investigations into a NetWalker ransomware affiliate^{Footnote 1}. The RCMP investigation, led by the Federal Policing Cybercrime Investigative Team in Toronto, resulted in the execution of search warrants in Canada, the seizure of cybercrime tools and proceeds of crime ($34 million in Bitcoin and almost $700,000 in cash), charges laid against the accused, and the extradition of the accused to the U.S

As a National Police Service, the NC3 at the RCMP coordinates and supports ransomware and other cybercrime investigations in close collaboration with domestic and international law enforcement partners. For example, in December 2021, following a two-year cybercrime investigation led by the Ontario Provincial Police (OPP), and with assistance from the NC3, the OPP charged an Ottawa resident with cyber-related Criminal Code offences linked to numerous ransomware incidents affecting businesses, government agencies and private individuals throughout Canada and the United States. The lengthy investigation also included assistance from Europol and a parallel investigation by the FBI. Operations like this demonstrate the necessity for law enforcement to work together, share information and pool resources in today's digital era to combat ransomware and other cybercrime threats.

Given that ransomware is transnational, strong international cooperation is needed to address the threat of ransomware. Internationally, Canada works collaboratively with likeminded partners, including the Five Eyes, to combat the threat of ransomware by actively sharing lessons learned and, as appropriate, more closely aligning policies, activities, public messaging, and industry engagement. For example, PS is currently engaged with the Counter Ransomware initiative (CRI), a U.S. – led initiative that provides an informal government-to-government mechanism for over 40 countries to improve international cooperation to counter ransomware. Additionally, the RCMP works with the FBI, the United Kingdom's National Crime Agency, the Dutch National High-Tech Crime Unit, Europol and the US-based National Cyber-Forensics and Training Alliance to advance efforts to combat ransomware.

Canada has also supported allies on multiple occasions with regard to public attributions against malicious activities including ransomware. These include high profile ransomware incidents, such as: WannaCry in 2017 and NotPetya in 2018. Publicly calling out perpetrators of malicious cyber activities holds threat actors to account and contributes to the deterrence of future attempts and incidents.

Footnote 1

NetWalker is a sophisticated form of ransomware that has targeted dozens of victims all over the world, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. NetWalker affiliates specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims. NetWalker was created by a Russian-speaking group of hackers and operates as a “ransomware-as-a-service” product. It stood out from other ransomware variants because of its ransomware-as-a-service model, wherein affiliates rent access to the continuously updated malware code in exchange for a percentage of any funds extorted from victims. NetWalker developers created the malware and affiliates were recruited to use it to target victims and demand ransoms paid in cryptocurrency.

Return to first footnote 1 referrer

Date modified:: 2024-06-04

Language selection

Search and menus

Search