SEPTEMBER 2024_RANSOMWARE_BY ANNA MINZHULINA275
photo illustrations by anna minzhulina

The Terrifying Rise of Ransomware Gangs

A new generation of ultra-sophisticated cybercriminals are targeting governments, corporations, hospitals and libraries—and laying bare how ill-equipped Canada is to fight back
By Caitlin Walsh Miller

On a July morning in 2022, Brad Hynes, the IT manager for the town of St. Mary’s in southwestern Ontario, was backing up the town’s computer systems when things went haywire. File names became unintelligible strings of characters. Desktop icons went blank. File after file was impossible to open, a string of digital duds. The background wallpaper on Hynes’s screen disappeared, replaced by the red-and-black logo of a Russian ransomware gang called LockBit. A line of all-caps text appeared: “All your important files are stolen and encrypted!”

Hynes immediately took the town’s systems offline to prevent the hackers from digging into anything they hadn’t already compromised. Then he called the town’s CAO, who called his boss, Mayor Al Strathdee. Strathdee was on the highway, driving back to town from meetings in Toronto and, like Hynes, he didn’t know what to do. There was no playbook for this situation—except the one provided by the hackers themselves. A file called “Restore-My-Files.txt” had been dropped into every compromised directory, with instructions for logging on to the dark web, the internet’s seedy underbelly, an online space used for criminal purposes of all kinds, accessible only through special browsers. The note included instructions on how to use one such browser called Tor. It didn’t specify how much ransom the town was expected to fork over, explaining that LockBit would provide chat support and further instructions on how to pay with cryptocurrency. Otherwise, 67 gigabytes of data—including confidential information on town financials, infrastructure and services—would be posted to LockBit’s leak site, a dark-web location where ransomware hackers sometimes publish material they steal as a pressure tactic.

As in any emergency, the town mobilized. It hired a law firm, cybersecurity experts and a third-party negotiator. It tapped public works director Jed Kelly to step back into his old network administrator job and provide Hynes with extra backup. Strathdee was also in touch with the Ontario Provincial Police and the Canadian Centre for Cyber Security, the federal agency that’s meant to provide cybersecurity support to businesses and governments. But little came of those interactions. Strathdee hoped for some logistical help: a plan of action, resource and information sharing, maybe even financial assistance. He didn’t get anything. The cybersecurity centre wanted to know what kind of data was compromised, but Strathdee says the process of reporting the incident slowed down the town’s response, diverting scarce resources. The mayor likened the experience to being abandoned during a natural disaster. If a tornado tore through town, he told me, there would be an immediate emergency response from the province or feds. “We thought the cavalry was going to come in,” he says. “But there was nothing.”

The town spent a week negotiating with its anonymous attacker via the chat function on LockBit’s leak site. In the end, St. Mary’s agreed to a $290,000 ransom, paid in Bitcoin. Ultimately, the incident cost much more, after factoring in legal costs, the expense of monitoring the internet for chatter about the town’s information and, finally, rebuilding damaged computer systems. All told, the attack cost about $1.5 million—one-tenth of St. Mary’s entire 2022 budget.

Still, St. Mary’s fared better than other recently attacked Canadian municipalities. Last February, Hamilton suffered a ransomware breach that incapacitated city council, jammed up $36 million in property tax payments and disabled the fire department’s computerized dispatching system (the department used Google Maps to find addresses instead). The city didn’t disclose how much ransom was requested—“a whole hell of a lot of money,” Mayor Andrea Horwath told reporters—but it says it didn’t pay. Toronto was also recently victimized: last fall, an attack on the city’s library system shut down its website for months and made it impossible for Torontonians to see its inventory or place a hold. The hack likely exposed to attackers the names, SIN numbers and addresses of employees going back decades. That kind of personal data is a hot commodity on the dark web, where it can be resold to other criminals and used to commit identity theft. 

All of these incidents are part of an accelerating surge of ransomware attacks that have, in the past few years, struck Canadian cities, school districts, utilities, ports and private companies of all sizes with more frequent and extreme breaches. In 2019, a ransomware attack on LifeLabs, a company that provides medical testing services, exposed test results and health numbers for millions of customers, mostly in B.C. and Ontario. LifeLabs paid an undisclosed ransom in order to regain control of the data. Two years later, an attack by the Russian ransomware group Hive paralyzed Newfoundland and Labrador’s health system, revealing to criminals personal data belonging to more than 10 per cent of the province’s population and, in some cases, banking information and SIN numbers. The province has still not disclosed whether it paid a ransom. In 2022, Toronto’s SickKids, Canada’s largest pediatric hospital, suffered a LockBit attack that shut down many of its priority systems, phone lines and its website, and delayed some treatments and diagnostic tests. LockBit apologized for the attack, saying it went against the group’s rules, and provided a free decryptor. (The group was not so beneficent earlier this year, when it refused to back down after an attack on a children’s hospital in Chicago.) Still, it took weeks to fully restore the hospital’s systems. A non-exhaustive list of 2023’s Canadian ransomware victims includes five hospitals in southwestern Ontario; Black & McDonald, a Toronto-based engineering company that works on military bases and power plants; and the International Joint Commission, a body that manages water rights along the U.S.-Canada border.

The surge has been fuelled by the rise of organized cybercrime organizations known as ransomware-as-a-service, or RaaS groups—and LockBit has been one of the largest in recent years. Most ransomware attacks today are perpetrated not by lone-wolf hackers but by these consortiums, the underworld equivalent of software-as-a-service companies like Slack or Dropbox. Instead of corralling workplace chatter or helping families organize online photo albums, RaaS groups provide cloud-based cybercrime tools to users, called affiliates, who pay for pre-built software and code that can infect computer systems and steal data. In exchange for sharing a portion of their ransom, affiliates can get tutorials and tech support and then leverage the sophistication and backing of a large organization to go after bigger fish, even if they lack the skills or technical knowledge to do so on their own. Because these affiliates are cloaked in anonymity, their victims are usually powerless to strike back. 

Subscribe Now

Maclean’s magazine offers something you can’t get anywhere else: deeply reported, compellingly told longform feature stories on the most urgent topics in the country.
Macleans magazine cover
Macleans magazine cover
Macleans magazine cover

The RaaS space has become competitive in the past few years, and Canada has rapidly become a favoured target. We’re the second-most-attacked country in the world, after the U.S., according to a threat report published last year by BlackBerry. (The Waterloo-based smartphone pioneer has, in the past few years, pivoted to become a cybersecurity enterprise.) A report last year from Mastercard found that the average cost of a breach in Canada is $5.64 million, after accounting for downtime, remediation and other expenses—not to mention ransoms themselves. In total, ransomware incidents may have cost the country as much as $3 billion in 2023. 

Yet our national response has been fumbling and fragmented. For the most part, every organization, city, hospital and business sorts through the aftermath of increasingly severe and costly attacks on its own. Internationally, Canada plays follow-the-leader when finding and prosecuting cybercriminals. Earlier this year, a multinational investigation led by Australia and Britain took down a phishing-as-a-service platform based in Canada. The RCMP played such a minor role that it was accidentally left off the initial press release issued about the bust. Domestic investigations into breaches like the one that struck St. Mary’s rarely yield suspects—nor are they really expected to. Arrests and prosecutions are so rare that even fairly inconsequential ones make splashy headlines. In 2021, cybersecurity expert Brian Krebs, a former Washington Post reporter, wrote on his blog, “For years I’ve been wondering aloud why more American cybercriminals don’t just move to Canada, because historically there has been almost no probability that they will ever get caught.”

In 1989, an American evolutionary biologist named Joseph Popp mailed 20,000 floppy disks to attendees of an AIDS conference hosted by the World Health Organisation. One file on each disk was a questionnaire designed to gauge a person’s risk of contracting HIV. Another counted how often the user’s computer was rebooted. On the 90th reboot, the count file locked down files on the user’s hard drive and displayed a message asking them to send $189 to a PO box in Panama in exchange for decryption instructions. Popp didn’t make much from the wonky floppies—he was arrested less than two weeks later—but he earned the dubious distinction of becoming the father of ransomware. 

For the next few decades, it remained a low-stakes game: lone hackers targeted individual computers or small networks, and ransoms were small, often just hundreds of dollars, paid by wire transfers or even gift cards. Modern ransomware emerged in the 2010s, when dark-web cybercrime forums offered a safe place for hackers to scheme and exchange information. In 2013, Russian cybercriminals developed ransomware called CryptoLocker and became the first to demand payment in Bitcoin, which could be sent and received anonymously. CryptoLocker spread as users unwittingly sent it to others via infected emails, and it struck more than 230,000 victims worldwide within a year. In 2017, new ransomware called WannaCry infected as many victims within days. Unlike CryptoLocker, it didn’t rely on infected emails. Instead it self-propagated, autonomously seeking out vulnerable computers and networks. It’s estimated to have caused roughly US$4 billion in damages; among its high-profile victims were Germany’s national railway and the U.K.’s National Health Service, which was forced to cancel appointments and medical procedures.

By the mid-2010s, ransomware had come a long way from a crate of floppy disks. It required a complex set of skills: writing malware to freeze a victim’s files, negotiating and extorting payments, laundering the proceeds. It was around this time that the first RaaS groups emerged to pool their criminal resources and combine expertise. In 2019, a new ransomware variant called ABCD first appeared on the scene. By January of 2020, it had rebranded as LockBit and began appearing on Russian cybercrime forums, alongside what amounted to recruitment ads for interested affiliates. The RaaS scene was crowded, with dozens of active groups with names like Netwalker, Ryuk, Conti, Janus and Satan. So LockBit engaged in some creative PR to draw in affiliates, including a “summer paper contest” requesting scholarly essays on “malware exploitation and monetization” and “phishing in practice” and offering prizes of up to US$5,000. But it was LockBit’s payment model that really drew in new affiliates. Most RaaS organizations at the time controlled ransom payments, doling out affiliates’ cuts when, or if, it decided to. LockBit flipped the model. Ransoms flowed to affiliates first, who kept 20 per cent before passing the rest on to the group.

As LockBit worked on its recruitment strategy, the pandemic struck, creating a newfound bounty of data for ransomware hackers to exploit. Workplaces shut and employees around the world fanned out to makeshift home offices; Statistics Canada estimates that nearly 40 per cent of Canadian employees worked from home during 2020, compared to just seven per cent pre-pandemic. All of those people were suddenly accessing their workplaces remotely, often through hastily built remote-work systems or simply by personal email, creating an explosion of badly secured entry points into valuable workplace networks.

The result was an all-you-can-hack data buffet, and the concurrent rise of RaaS groups meant there were more hackers than ever able to exploit it with the resources of increasingly capable cybercrime groups behind them. A report by the cybersecurity platform SonicWall found that there were three times as many ransomware attacks globally in the second quarter of 2021—nearly 200 million—as there were in the year before. New records were broken each month, and hackers soon added another tool to their trade: data exfiltration. Information was not only being encrypted, but copied and sold on the dark web.

SEPTEMBER 2024_RANSOMWARE_BY ANNA MINZHULINA276_CROP 1

Canada is especially flat-footed in its response to ransomware, undermined by institutional secrecy, slowness and poor communication between the mishmash of bodies responsible for cracking down on cybercrime, including the RCMP, the CRTC and provincial and local law enforcement. Last year, Canada’s auditor general, Karen Hogan, began preparing a report on Canada’s cybercrime response. She found that reporting and tracking had been a mess for years. Thanks to poor record management and unreliable data, the RCMP, which is tasked with investigating threats to the federal government and critical infrastructure, couldn’t produce an accurate count of cybercrime reports it had received. Thousands of complaints to government bodies in the past few years were never acted upon or forwarded to appropriate authorities. The CRTC, which is tasked with enforcing anti-spam legislation to protect against phishing and online scams, received roughly 75,000 reports of cybercrime incidents in 2022 alone. But from 2020 to 2023, it initiated only six investigations. During one investigation, a law enforcement agency told the CRTC it would receive a warrant for devices in its possession. The CRTC said a warrant wasn’t viable, since data on the device had been deleted. That was untrue, but CRTC staff did delete it later. At the Canadian Anti-Fraud Centre, which is supposed to help individuals victimized by cybercrime, rather than organizations, Hogan found that initial complaints are managed on one system while follow-ups are tracked in another. The two have to be manually linked, which rarely happens. The result is that just six per cent of high-priority cases—involving losses of $10,000 or more—received appropriate follow-up. 

It’s often not even clear where Canadians should go to report a crime. In 2018, the federal government released a National Cyber Security Strategy, a major component of which was the creation of a dedicated RCMP unit called the National Cybercrime Coordination Centre, or NC3. It was supposed to act as a central hub for investigations and a one-stop shop for cybercrime reporting, like the Internet Crime Complaint Center in the U.S. or Action Fraud in the U.K. But throughout 2020 and 2021, as cyberattacks were exploding, visitors to NC3’s site were informed that its new reporting system wouldn’t be in place until March of 2022. It still hasn’t launched. The AG report summed up its findings damningly: “Canada does not have capacity and tools to fight cybercrime.”

Even if the NC3 functioned perfectly, it’s not intended to be an elite cybercrime unit, engaging in offensive cyber operations—that is, hacking into criminal organizations to disrupt and dismantle their systems. It’s simply a way to coordinate efforts between Canada’s grab bag of other agencies. The U.S. has 16,000 agents dedicated to cyberoffensive operations, while the U.K.’s offensive hacking unit has been up and running for a year. That kind of proactive approach is not Canada’s strong suit. Steve Waterhouse is a cybersecurity consultant and lecturer, who served as a deputy minister of cybersecurity in Quebec in 2022. “The NC3 was a nice idea, but it’s very late to the race,” he says. He also points out that international police agencies have long-standing cyberteams. The EU’s law-enforcement agency, Europol, created one in 2013, and the FBI in 2002. Still lacking such an organization, Canada relies on tips from global partners to sniff out cybercriminals operating within our borders. The result is that, despite being one of the most-attacked nations on Earth, Canada has one of the worst records when it comes to hunting down criminals operating on our own soil. 

One of the few cybercriminals Canada has apprehended in the past few years is Mikhail Vasiliev. He was born in Moscow in 1989 and moved with his parents and sister to Canada in 2002, when he was around 13 years old. He attended high school in York Region, near Toronto, and eventually married and started a family in Bradford, about 60 kilometres north of the city. He began reaching out to RaaS groups, in hopes of becoming an affiliate, at least as early as 2019. Prior to that, he had no criminal record.

In September of 2020, the FBI notified the Ontario Provincial Police that it was investigating Vasiliev, who it suspected was a member of LockBit. At first, the FBI’s data was limited, so the OPP didn’t treat the file as a high priority. The force was also tied up with other cyberinvestigations. “Resources are finite,” says Detective Inspector Matt Watson, a major case manager with the OPP who became the lead investigator on the Vasiliev file. “We can only get to things as we get to them.”

For the better part of the next year, the FBI kept digging, updating Ontario officials as they went. Vasiliev kept busy too. In May of 2021, he attacked Crestline Coach, a company in Saskatoon that builds ambulances, rescue trucks and buses. Early one morning, he shut down its computer system and demanded $1 million. Crestline’s operations were crippled, so it opted to play ball, hiring forensic IT specialists to negotiate a ransom. The company eventually paid Vasiliev nearly $280,000 in Bitcoin. 

That’s not bad, all things considered. Ransoms have ballooned in recent years, thanks in part to cryptocurrency enabling easier payments and attackers researching targets in advance and learning how to right-size their demands. The average ransom paid by Canadian companies last year was $1.13 million, up from $460,000 in 2021. The decision to pay a ransom depends on the circumstances of the breach. If hackers haven’t stolen data and the organization has a decent backup system, it’s not likely to hand over any money. If the breach is potentially catastrophic—as it was for Crestline, which faced indefinite downtime—businesses tend to cough up. Without official recommendations from law enforcement and government, ransomware has also become a wellspring for parallel private industries like forensic IT, dark-web consultants, ransom negotiators and cyberinsurers, who often call the shots after a hack. That’s what happened in Stratford, Ontario, after a cyberattack in 2019 compromised sensitive personal data in the municipal government’s system. Police advised against paying the $75,000 ransom, but the town’s insurer said otherwise: it would foot the bill for the ransom but not the likely greater cost of rebuilding its database from scratch. 

Vasiliev likely perpetrated the attack using LockBit 2.0, an update to its original ransomware. It included faster encryption—the fastest on the market, LockBit claimed—and an early version of the point-and-click control panel that would become a trademark feature, consolidating the ransomware’s tools into one user-friendly interface. Affiliates could easily scan a target system for vulnerable servers, terminate security services and remove files that might help victims restore their data. Push notifications even pinged affiliates when a target responded to a ransom notification.

By July of 2021, OPP investigators believed they had enough intel from the FBI to start their own parallel investigation into Vasiliev, dubbed Project Archie. For more than a year, the OPP gathered evidence, including IP addresses, phone records and tracking and transmission data from his cellphone and vehicle. It remotely accessed his devices and networks, cryptocurrency wallets and online platforms, and used his login credentials to access cybercrime forums. At every turn, investigators applied for warrants and judicial authorizations. “Law enforcement moves at the speed of the judicial process,” says Watson. “Cybercrime moves at the speed of electrons.”

Even as the OPP’s investigation dragged on, Vasiliev racked up victims. Early one day in January of 2022, Vasiliev attacked Carol Lake Metal Works, a company in Labrador City, disabling email and encrypting its servers. As per instructions Vasiliev provided, an employee tried to contact him via the anonymous Tor browser. After a fruitless attempt to contact the attacker, the company opted to rebuild its systems from scratch. Between lost revenue due to downtime and the cost to repair the damage, the breach cost Carol Lake $113,000. That May, Vasiliev targeted Montreal’s Transat Telecom, a small internet service provider. Early one morning, Transat employees noticed they couldn’t join servers or connect to the company’s private network. The company’s billing systems and call centre tools were down. Vasiliev initially demanded $1 million, though he offered to cut it to $500,000 if the ransom could be paid quickly. Transat eventually negotiated Vasiliev down to US$5,000 in Monero cryptocurrency. Still, the breach cost the company around $100,000 to remediate.

In August of 2022, more than a year after launching Project Archie, the force received a warrant to covertly search Vasiliev’s home. There, they found a file named “TARGETLIST,” detailing past and potential future victims, as well as source code for a program designed to encrypt data. There were also photographs of a computer screen showing usernames and passwords of employees from a Canadian target and screenshots of messages exchanged with a user named LockBitSupp, the group’s purported leader. In late October, the OPP was back with another warrant, accompanied by agents from the FBI and the RCMP. This time, Vasiliev was home—working on his laptop at a table set up in his garage, logged in to LockBit. Officers swarmed, and restrained Vasiliev before he could shut down his computer. 

The OPP charged Vasiliev with firearms-related offences that day. He spent six days in jail before being released on bail. Two weeks later, on November 9, the U.S. District of New Jersey charged him with conspiracy to intentionally damage protected computers and to transmit ransom demands, among other charges. 

A year later, in December of 2023, the OPP finally charged him with extortion and the unauthorized use of a computer in relation to crimes against Crestline, Carol Lake and Transat Telecom; limited resources played a part in the delay. Vasiliev waived his right to a preliminary trial and pleaded guilty to all counts in a Newmarket courtroom in February. He was sentenced to just under four years in jail and ordered to pay $860,000 in restitution to his victims. This June, he was extradited to New Jersey to face charges there.

He’d been caught red-handed—which is just about the only way for law enforcement to charge a suspect successfully. An IP address isn’t enough, because the IP address of a device can change or be shared, and a device can be used by more than one person. Project Archie was only successful because the cops caught Vasiliev at the exact moment he was engaging in his crimes. This is one of the many reasons it’s so difficult to catch and convict cybercriminals. Apart from Vasiliev, there have been just two notable Canadian ransomware arrests over the past few years. In 2022, Sébastien Vachon-Desjardins—unassuming government worker by day, star affiliate of Russian ransomware group NetWalker by night—was sentenced to seven years for extorting $2.8 million from 17 Canadian victims (his international haul likely totalled over US$15 million). In January, an Ottawa man named Matthew Philbert got two years for targeting approximately 1,100 victims—individuals, family businesses, police departments and other organizations. The OPP dubbed him “the most prolific cybercriminal we’ve identified to date in Canada.” That descriptor has stuck, due to the sheer number of victims connected to him, though Philbert’s actual success rate is far less impressive: he only managed to pull in about $50,000 from his crimes. Philbert was sentenced this January to two years in jail.

After Vasiliev’s arrest, media attention suggested that he was a mastermind, or at least a major figure within LockBit. The American cybersecurity strategist Jon DiMaggio suspects this was wishful thinking. DiMaggio spent a year undercover with LockBit, masquerading as a wannabe affiliate and chatting with its developers on a private messaging service. He’s familiar with the group’s technological and social infrastructure and doubts a core member would be living in a U.S.-friendly country—most are in Russia, Belarus and other former Soviet states. Vasiliev didn’t even appear to have access to LockBit 3.0, the most recent version of the ransomware, released in 2022. 

Vasiliev’s arrest certainly didn’t make much impact on LockBit as a whole. Throughout 2023, a wave of bigger-than-ever LockBit attacks transcended, in scale and severity, anything Vasiliev had accomplished. In most cases, no perpetrator was identified and no arrests were made. 

Canada was targeted again and again. In February of 2023, a LockBit attack took down Indigo Books and Music’s website and app, shutting down the company’s electronic payment systems, delaying orders and compromising online sales for weeks. Indigo lost $50 million that year, in large part due to the cyberattack. Then, in August, the group targeted the Commission des services electriques de Montréal, the municipal organization responsible for the city’s underground electricity and telecommunication network. A month later, a LockBit breach at a third-party software vendor compromised the websites and apps for the Weather Network and MétéoMédia, its French-language equivalent, for weeks. And in October, the group attacked BGRS/SIRVA, a contractor that provides moving services to the Canadian government. The incident resulted in the theft of 24 years of personal and financial data on government, military and police employees.

In February, Operation Cronos, a global task force led by the U.K.’s National Crime Agency, pulled off a reverse assault on the group. The task force, which included the FBI, Europol and law enforcement from other countries, infiltrated LockBit’s systems and seized control of its servers and leak site, where it posted a message that read, “This site is now under control of the U.K., the U.S. and the Cronos task force.” Two LockBit members were arrested in Poland and Ukraine, and more than 200 cryptocurrency accounts linked to the group were frozen. Canada played a role too, albeit a minor one—our National Cybercrime Coordination Centre notified potential domestic victims and passed on information about tools they could use to decrypt their data. 

In May, the U.K. identified a Russian citizen named Dmitry Yuryevich Khoroshev as the group’s likely leader, LockBitSupp. The U.S. indicted him on 26 criminal counts, and the U.S. Treasury Department also sanctioned him, which means anyone involved in transactions with Khoroshev—including anyone paying him a ransom—could also be exposed to sanctions.

A week after law enforcement seized LockBit’s leak site, a new one went up. But given the U.S. sanctions, most victims are refusing to pay, including the western Canadian pharmacy chain London Drugs, which was attacked in April, forcing most of its 79 stores to close for days. Many cybersecurity experts suspected that LockBit would fade away after the sanctions, but the group has proven resilient. Jon DiMaggio told me he’s “absolutely bewildered” by its continued activity, estimating by number of confirmed attacks that LockBit is still among the biggest RaaS groups out there.

Regardless, the ransomware business is a hydra—chop off one head and another will rise to replace it. There are plenty of additional groups out there, including Inc. Ransom, Ransom Hub and BlackBasta, which took down the Toronto Public Library last year. In fact, the months following the LockBit takedown were the busiest Dubrovsky’s ever had. His hypothesis is that a revitalized army of affiliates, doubtful about LockBit’s future, are looking to prove themselves. Some are now using AI to supercharge their efforts. Generative chatbots, like WormGPT and FraudGPT, are deploying generative AI to create ransomware that can adapt by itself in real time, modifying its own code to evade detection. The U.K.’s National Cyber Security Centre has predicted that AI will lower the barrier to entry for criminals just as RaaS did, generating a new wave of novice hackers who could craft convincing deepfake voice notes requesting login credentials, help attackers gather target information faster and even produce chatbots that could negotiate with victims. 

As the technology becomes more complex, the targets are getting bigger still—as are the perpetrators. Last April, a series of breaches targeting the British Columbia government email system was carried out by, according to the head of the provincial public service, “a state or state-sponsored actor.” According to Steve Waterhouse, state-sponsored agencies are constantly poking at critical infrastructure, including gas and oil, water treatment, and power generation and distribution. And no ministries or departments, he says, are proactively tackling the problem. Again, the contrast to the U.S. is sharp—over the past few months, there have been a handful of publicly divulged attacks in that country against water treatment plants by Russian and Iranian groups. In response, the Environmental Protection Agency announced in May it was ramping up inspections of critical water infrastructure. “That just shows you how fast things should move,” says Waterhouse.

Meanwhile, the NC3 still has no system for triaging or documenting cases. The centre has also been plagued by other problems: it has closed cases that were still unresolved and failed to forward requests from international partners to domestic law enforcement. Meanwhile, the National Cybercrime Solution, a $70-million IT system meant to support NC3’s reporting portal and act as a database for law enforcement personnel, is two years behind schedule. Provincially, only two provinces have ministries dedicated to cybersecurity: Quebec since early 2022 and Nova Scotia since last year. Neither has done much yet. Ontario, Alberta and B.C. are considering establishing their own, though there remains nothing similar at the federal level. The U.S. has had a national cyberdirector—a member of the executive team with a direct line to the president—since 2021.

There’s also little transparency in the world of cybersecurity. Companies are reticent about reporting breaches; the Canadian Anti Fraud Centre estimates that between five and 10 per cent of incidents are reported. And most provinces don’t track or won’t share information about attacks on public-sector entities. If a breach is reported, victims usually don’t get much in the way of intel after the fact. That was the case with the town of St. Mary’s. “Our legal team heard a rumour someone might have been arrested, but we don’t know,” says Mayor Strathdee.

Dan Mathieson, the mayor of Stratford, had a similar experience after the attack that cost his town $75,000. “You notify the police,” he says, “but at the end of the day, there’s not an active investigation that would ever, ever go on.” Mathieson is today a special adviser at the Catalyst Institute for Cyber Security at Toronto Metropolitan University. He has observed the same pattern over and over: “How many people have been charged when a health unit, a municipality, a government agency, has been hacked? I can’t think of too many, and it continues unabated.”

Given deficiencies in reporting, tracking and investigating cyberincidents, Canada is poised to be victimized time and time again without even knowing where the attacks are coming from, who’s behind them and how they got in. The rise in cybercrime could have deep economic consequences, says Watson. Imagine an auto plant in Ontario forced to halt production overnight, or an attack on a utility like Hydro Quebec (which has been attacked in the past), shutting down power as well as jeopardizing its power-supply contracts in the U.S., a major source of revenue for the Quebec government. 

And as more network-connected devices come online—vehicles, smart appliances, fitness trackers, surveillance cameras and far more—vulnerabilities will increase exponentially. Whether a hacker gains access to a network over an unsecured smart thermometer or exploits the federal government’s threadbare patchwork of outdated IT systems, the consequences could be devastating. Attackers could trigger a city-wide blackout or shut down a hospital. They could poison a town’s water supply. They could hack into a nuclear reactor. What once seemed like the stuff of alarmist sci-fi is now increasingly plausible. 

“It’s impossible to keep up with the pace of attacks,” says Steve Waterhouse. “It’s a passive approach. Where’s the action?” ■


COVER_0924_.094_FINAL (1)

This story appears in the September issue of Maclean’s. Buy the single issue here or subscribe to the magazine here.