Eearlier this year, staff in Nova Scotia Power presented a proposal to improve their cybersecurity. The private company that supplies most of the province's electricity has been three years since an internal threat assessment identified key vulnerabilities, particularly in the power plants and substations that feed the grid. If approved, the work will be completed by the end of the year.
They never had a chance. Just three weeks after the proposal was submitted, hackers struck. But not to sabotage the infrastructure. Instead, they stole the personal details of at least 280,000 customers: emails, phone numbers, home addresses, bank details – enough for determined malcontents to impersonate individuals and wreak havoc. Then came the massacre. The company claims it didn't pay and some of the stolen information was posted online. Several weeks after the attack was reported, couple from Nova Scotiaand the utility's customers logged into their bank account and discovered that $30,000 was missing.
The Nova Scotia government is hardly an exception. Ransomware gangs have made government agencies easy targets, hacking them, locking files and holding them hostage for money. Refuse, and the information will become public knowledge. Among the most high-profile violations are the Alberta Dental Service Corporation and the Toronto District School Board.
The situation in the private sector is perhaps even more dire. Eighty-three percent of Canadian businesses surveyed by Telus in 2021 reported a ransomware attack. Almost half admitted that they paid. In a recent report, the Canadian Cyber Security Center warns that ransomware is now “the leading cybercrime threat facing Canada's critical infrastructure,” with average payouts expected to exceed $1 million in 2023. The broader losses are staggering: in 2024, Canadians lost over 600 million dollars fraud and cybercrime – much of it related to identity fraud made possible by personal data stolen in the Nova Scotia Power attack.
While Canada has been slow to adapt to the threat, ransomware has surged forward over the past five years, fueled by pandemic-related security concerns and advances in artificial intelligence. Today's malware is smarter, faster, and harder to detect. For organizations, these attacks can mean reputational damage, loss of trust with employees and customers, and recovery costs running into the millions. In 2023, companies around the world paid hackers a total of more than $1 billion.
But for victims, the attacks can mean years of uncertainty and vulnerability as their most sensitive records are bought and sold in the darkest corners of the internet.
Rmalware is mostly the same old like the World Wide Web. The first known attack occurred in 1989, when 20,000 copies of a floppy disk containing what appeared to be AIDS research were mailed to researchers attending a World Health Organization conference on AIDS. Instead, anyone who inserted it ended up finding their computer locked, along with a demand note for up to $378, payable at a mailbox in Panama. The culprit, a Harvard-educated evolutionary biologist and AIDS researcher named Joseph Popp, was arrested and charged with multiple counts of blackmail. He is widely considered the inventor of this form.
Ransomware has evolved along with the technology that makes it possible. The rise in popularity of cryptocurrencies such as Bitcoin in the 2010s gave cybercriminals an irreversible way to move huge amounts of money. The rise of 5G and the Internet of Things—smart refrigerators, lights, locks, alarms—opened new doors for hackers to infiltrate wider systems through everyday devices. And while telecom companies, tech giants and government agencies rushed to bolster their defenses, attackers continued to return to one of their weakest links: people. Phishing emails and “malvertising”—infected advertisements—remained among their most effective weapons.
By the late 2010s, ransomware had become a full-fledged phenomenon. businesswhen hackers sold their software to affiliates who carried out attacks and split the profits. The kits cost only $40 a month, dramatically expanding the range of criminals involved. While the affiliate model has broadened the range of targets and made it harder for law enforcement to trace viruses back to their creators, it has also created its own headache: LockBit, once the world's most common strain of ransomware, issued a rare public apology after one of its affiliates hacked Toronto's Hospital for Sick Children, prompting the group to announce it was severing ties with branch.
It wasn't just freelancers who profited. The partnership model has opened doors to foreign countries, including Russia, Iran and China. North Korea in particular has turned this into a source of income, with estimates suggesting $3 billion Money raised from cyber attacks between 2017 and 2023 was allegedly used to finance its nuclear ambitions.
And when Covid-19 hit, hackers got a windfall. The number of personal logins from remote work has increased, and with them millions of potential points of breach. As criminals penetrated unsecured laptops and phones, the damage quickly increased. From 2021 to 2023, total recovery costs for Canadian companies doubled from $600 million to $1.2 billion..
Then came generative AI. Ali Ghorbani, director of the Canadian Cyber Security Institute at the University of New Brunswick, says the technology has given hackers new advantages. They can now produce countless variations of the same attack. It also makes phishing scams more convincing with personalized emails, realistic voice recordings and deepfake videos. In one case, an employee of a British engineering firm was tricked into transferring US$25 million after a video call with AI-generated “executives.”
All this has changed the rules of working with ransomware. In 2019, preparations for the attack took about sixty days. Today only four are required. “The attacks have gotten bigger,” says Ghorbani. — And the ransoms have also become larger.
WITHCanadian institutions are lagging behind. The cost of rebuilding a business doubled between 2021 and 2023, but Investments in preventive cybersecurity have actually declined. Companies rely on insurance instead, with almost one in four now counting on policies to absorb hacker payouts. Paying after the fact may seem cheaper than preventing attacks in the first place.
The chronic lack of talent doesn't help. As of 2021, Canada was short of 25,000 cybersecurity professionals. one out of six vacancies is not filled. The process is slow: It can take years of specialized education and training before recruits are ready for permanent positions, and critical positions remain vacant as threats grow. Meanwhile, Ottawa's sweeping legislative effort failed. Bill C-26, the government's first major attempt to shore up critical infrastructure, required key agencies in telecommunications, banking and transportation, among others, to build defense. The bill died when parliament was prorogued in January this year. Its counterpart, Bill C-8, was introduced in June but will have to start the process all over again before it becomes law.
For the millions of people whose data has already been compromised – and the millions more who are still at risk – Canada's sluggish reforms are cold comfort. According to Ghorbani, once a violation has occurred, it cannot be corrected. “No matter what we say, mitigation is not possible.” Customers have no way of knowing whether their personal information is circulating on the dark web, and they have little ability to prevent it from being used as a weapon. “All data has value, no matter how small,” says Ghorbani. And once it appears, criminals will find a way to exploit it.
For example, a canceled credit card number may lose much of its value, but when combined with a name and address, it can still facilitate identity theft and fraud. In some cases, credit card payments may not even go through after cancellation if they are processed by certain providers.
The response from institutions that have lost their clients' data is often underwhelming. For example, Nova Scotia Power offered what has become a standard post-breach gesture: several years of free credit monitoring, a service that flags changes in your credit file—for example, when a new card or line of credit is opened in your name. Customers also received a checklist of actions to reduce the likelihood of further compromise. There are few reports of actual compensation or reimbursement.
Ultimately, Ghorbani argues, the focus needs to shift to prevention, such as through public education and early investment by Canadian companies in their own defense. For individuals, this means simple but consistent habits: changing passwords, two-factor authentication, and updating software. For institutions, this means relying on their own cybersecurity staff rather than outside consultants, training employees on best practices and being careful about what customer data they store. However, even with stricter protections in place, Ghorbani warns, ransomware is here to stay.
“We put locks on our houses and cars,” he says. “Cybersecurity solutions work the same way.” But unlike a lock, which you install once, it's a never-ending process. “This is something that will stay with us forever.”
