Parliamentary Committee Notes: Ransomware

Bill C-26: An Act Respecting Cyber Security (Parliamentary Committee Binder)

Date: July 31, 2023
Classification: Unclassified
Fully releasable (ATIP)? Yes
Branch / Agency: NCSB / PS

Ransomware

Issue: Ransomware poses a significant cyber threat to our national security, economic prosperity and the personal safety of Canadians.

Proposed Response:

Ransomware Background:

Ransomware is defined by the Canadian Centre for Cyber Security (the Cyber Centre) as a type of malware (malicious software) that denies a user's access to files or systems until a sum of money is paid. It is the most common form of malware used for online extortion against Canada and Canadians.

The Cyber Centre's 2023-24 National Cyber Threat Assessment (NCTA) assesses that ransomware continues to be the most likely and most disruptive cyber threat activity to affect Canadians and Canadian organizations. Critical infrastructure is increasingly at risk from ransomware threat activity, with cybercriminals exploiting the fact that downtime of critical infrastructure can be harmful to industrial processes and Canadians that rely on its essential services. Ransomware is directed at Canadian organizations of all sectors and sizes, from large enterprises to small businesses. As society becomes more connected to the internet and reliant on digital infrastructure, malicious cyber actors are provided with a greater number of vectors that they can exploit to the detriment of Canada's national security, economic prosperity, and personal safety.

Since April 2021, the National Cybercrime Coordination Centre (NC3) has received over 2,000 requests for operational assistance from domestic and international law enforcement partners. From April 2021 to present, approximately 55% of NC3 requests with a Canadian nexus have involved ransomware. At the same time, cybercrime continues to go underreported to police. In 2021, only 10% of businesses affected by cybercrime reported the incidents to law enforcement. This means the actual rate of cybercrime in Canada is likely much higher than reporting statistics suggest. Correcting this trend will require action from various private and public institutions.

Evolving Threat Environment

The 2023-24 NCTA assesses that threat actors are developing more sophisticated techniques and tactics to target Canadian individuals and organizations. New technologies such as decentralized finance, as well as a flourishing market for cybercrime tools and services, have lowered the barrier to entry for cybercriminals. Ransomware-as-a-Service (RaaS) groups develop ransomware programs and provide troubleshooting services to other malicious cyber actors, enabling malicious cyber actors with little programming skill to participate in and profit from ransomware activity.

Given the ease with which ransomware transcends borders and jurisdictions, the international threat of ransomware poses challenges to investigating ransomware offences and identifying those responsible. As such, reporting is crucial as it can provide law enforcement with information that can help the victim, identify linkages and better enable the Government of Canada and Canadians to combat cybercrime. If an individual, business or organization experiences a cybercrime, scam or fraud, they should contact their local police immediately, and report the incident to the Canadian Anti-Fraud Centre (CAFC) online or toll-free at 1-888-495-8501. Local police services are best positioned to document the reported cybercrime, begin the investigation process and engage provincial or national policing resources such as the NC3, if and as required. Cybercrime can happen to anyone at any time. Victims should know that they are not alone and that by reporting the incident to law enforcement they can receive support and prevent further victimizations. In addition, the NC3 and the CAFC are currently working with law enforcement partners, industry, and cybercrime victims to build a new cybercrime and fraud reporting system, and make it easier for Canadians and businesses to report cybercrime and fraud incidents to law enforcement. Once fully in place, in 2023-2024, a victim or witness of a cybercrime or fraud, including ransomware incidents, will be able to use this system to report the crime online to law enforcement.

The Government of Canada (GC) does not recommend paying ransom to malicious cyber actors. Any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. It is important to know that the payment of ransom:

Government of Canada Response

The GC takes a comprehensive approach to countering-ransomware and is committed to ensuring that the cyber systems that underpin the daily lives of Canadians are resilient and secure. GC departments and agencies are working to reduce the threat of ransomware by investing in cyber security for GC systems, investigating, and providing advice to the GC on the national security threat of ransomware; targeting and disrupting cyber criminals; coordinating strategies with international allies; and issuing advice, guidance, and services for those affected by ransomware.

Public Safety Canada (PS) led the development of the National Cyber Security Strategy (NCSS), which was published in 2018. The NCSS aims to provide a framework to protect GC systems, to extend the GC network of partnerships to help protect critical infrastructure, and to help Canadians to be safe online. PS also developed the National Strategy for Critical Infrastructure (NSCI) with the purpose of building a safer, more secure and resilient Canada. The NSCI works toward this goal by setting the direction for enhancing the resiliency of critical infrastructure against current and emerging hazards. PS also administered a series of ransomware exercises and is currently designing a stakeholder exercise toolkit and exercise program which includes ransomware scenarios aimed at improving organizational and national response to a ransomware event. Additionally, PS and the Cyber Centre, developed the Canadian Cyber Security Tool (CCST) to help critical infrastructure organizations assess their own cyber security quickly and easily, which includes holistic advice and guidance aimed at improving organizational cyber resiliency to threats such as ransomware. PS, in close collaboration with other government departments, provinces, territories, the private sector, and international allies, takes a leadership role in advancing cyber security in Canada.

The Cyber Centre produces ransomware-specific technical briefings and guidance for businesses and oversees national public awareness campaigns to inform Canadians about cyber security and the simple steps they can take to build resiliency. The Cyber Centre has developed a set of baseline cyber security controls and mitigation strategies for small and medium organizations. In addition, the Department of Innovation, Science and Economic Development Canada (ISED) supports efforts to improve the cyber security postures of small and medium sized originations via the cyber security guidance outlined in the Baseline Cyber Security Controls standard (CAN/CIOSC 104: 2021).This program is designed to improve cyber protections for the organization, its clients, and its partners. Alongside these efforts to inform and grow resiliency, the Cyber Centre and law enforcement engage in sustained operations to constrain ransomware operators' ability to interfere with GC systems and Canada's critical infrastructure.

The Cyber Centre has been leading the GC's efforts on the development of a ransomware communications campaign for Canadians and Canadian companies. This campaign included the release of new ransomware materials to the general public, including:

Since Canada's Anti-Spam Legislation (CASL) came into force in 2014, it has continued to protect consumers and businesses from the misuse of digital technology, including ransomware. The Canadian Radio-television and Telecommunications Commission (CRTC) has the primary enforcement responsibility under CASL, and investigates, takes action against, and sets administrative monetary penalties for installing a computer program without express consent, such as when malware, ransomware, spyware or viruses are installed alongside computer programs, hidden in spam messages, or downloaded through links to infected websites. The CRTC and ISED, encourage Canadians to use the Spam Reporting Centre (SRC) to provide as much information as possible about potential CASL violations.

Where the RCMP serves as the local police of jurisdiction, it investigates cybercrime that falls under its jurisdiction and mandate. At the federal level, RCMP Federal Policing has the mandate and authority to investigate cybercrime that targets GC systems and networks, critical infrastructure sectors, and other significant cybercrime threats to Canadian businesses and citizens that may have a high economic impact or are directed on behalf of foreign states. Under the FP cybercrime mandate, the greatest impact is realized by conducting investigations to identify and target Cybercrime-as-a-Service, criminal networks conducting illicit activity in the cyber realm, and hostile foreign actors (state and non-state). Investigations into these types of threat actors and tools are domestic and international in scope, can include strategic disruptions, and can lead to charges in Canada, or in a foreign jurisdiction. For example, during 2021 and 2022 the U.S. Federal Bureau of Investigation (FBI) and RCMP Federal Policing conducted parallel investigations into a NetWalker ransomware affiliateFootnote 1. The RCMP investigation, led by the Federal Policing Cybercrime Investigative Team in Toronto, resulted in the execution of search warrants in Canada, the seizure of cybercrime tools and proceeds of crime ($34 million in Bitcoin and almost $700,000 in cash), charges laid against the accused, and the extradition of the accused to the U.S

As a National Police Service, the NC3 at the RCMP coordinates and supports ransomware and other cybercrime investigations in close collaboration with domestic and international law enforcement partners. For example, in December 2021, following a two-year cybercrime investigation led by the Ontario Provincial Police (OPP), and with assistance from the NC3, the OPP charged an Ottawa resident with cyber-related Criminal Code offences linked to numerous ransomware incidents affecting businesses, government agencies and private individuals throughout Canada and the United States. The lengthy investigation also included assistance from Europol and a parallel investigation by the FBI. Operations like this demonstrate the necessity for law enforcement to work together, share information and pool resources in today's digital era to combat ransomware and other cybercrime threats.

Given that ransomware is transnational, strong international cooperation is needed to address the threat of ransomware. Internationally, Canada works collaboratively with likeminded partners, including the Five Eyes, to combat the threat of ransomware by actively sharing lessons learned and, as appropriate, more closely aligning policies, activities, public messaging, and industry engagement. For example, PS is currently engaged with the Counter Ransomware initiative (CRI), a U.S. – led initiative that provides an informal government-to-government mechanism for over 40 countries to improve international cooperation to counter ransomware. Additionally, the RCMP works with the FBI, the United Kingdom's National Crime Agency, the Dutch National High-Tech Crime Unit, Europol and the US-based National Cyber-Forensics and Training Alliance to advance efforts to combat ransomware.

Canada has also supported allies on multiple occasions with regard to public attributions against malicious activities including ransomware. These include high profile ransomware incidents, such as: WannaCry in 2017 and NotPetya in 2018. Publicly calling out perpetrators of malicious cyber activities holds threat actors to account and contributes to the deterrence of future attempts and incidents.

Date modified: