Hackers demand bitcoin ransom in cyberattack on big Canadian restaurants

Restaurant company Recipe Unlimited, which owns many popular chains, has been told to pay ransom in bitcoin to retrieve data that hackers claim to have stolen. The company says the threat isn't real because its systems are protected.

Recipe Unlimited says there's no ransom threat because its systems are secure

East Side Mario's is one of the restaurant chains affected by the malware attack. As a result, some locations have had to temporarily close. (Nicole Williams/CBC)

A Canadian company that owns many popular restaurant chains has been told to pay ransom in bitcoin to retrieve data that hackers claim to have stolen. 

On Monday, Recipe Unlimited — formerly Cara Operations — said it was hit with a "malware outbreak" that's affecting operations at a "limited number" of its restaurants including brands Swiss Chalet, Harvey's, Milestones, Kelseys, Montana's, Bier Markt, and East Side Mario's.

Several locations have temporarily closed as a result. 

Following the cyberattack on Friday, a ransom letter popped up on computers at multiple restaurants owned by the company, some employees said. 

"All of our computer systems crashed," said a worker on shift at the time at an affected location. "The ransom note appeared under the file, 'read me' in a WordPad format. We were all really in a state of shock."

CBC News has agreed to keep employees' names and work locations confidential because they fear repercussions from their employer for speaking publicly about the incident.

An excerpt from the ransom note sent to restaurants owned by Recipe Unlimited on Friday.

The ransom note, obtained by CBC News, informs Recipe Unlimited that "there is a significant hole in the security of your company" and that "we've easily penetrated your network."

The hackers claim that they "crypted" the company's files "with the strongest military algorithms" and that, in order to restore the data, the company must pay an unspecified amount in bitcoin.

"The final price depends on how fast you write us," said the message, adding that every day of delay will cost 0.5 bitcoin, more than $4,000 Cdn.

"There's a big difference between malware and ransomware, and this is ransomware," said another employee at an affected location. 

"It's, 'We're taking all of your information and holding it hostage.'"

Company downplays the letter

Recipe Unlimited denies it's being held ransom, because it conducts regular system backups to protect its files. "We maintain appropriate system and data security measures," said spokesperson Maureen Hart in an email.

She also downplayed the letter, saying that it's a "generic" statement associated with a virus called Ryuk, and that exact copies of the ransom note can be found via a Google search.

CBC News found similar versions of the letter online, as well as a recent blog about Ryuk written by international cybersecurity company Check Point Research.

It said that in August, Ryuk attacked various companies worldwide and that "some organizations paid an exceptionally large ransom to retrieve their files," netting the hackers more than $640,000 US so far. 

Check Point also said Ryuk may be connected to a cyber operation in North Korea. 

On Sunday, customer, Lando Fiore posted a photo on Facebook showing this sign displayed at an East Side Mario's restaurant in Newmarket, Ont. It states the restaurant is closed because 'the head office computer was hacked.' (Lando Fiore/Facebook)

Recipe Unlimited declined to provide an update on when its computer problem would be resolved or the number of restaurants impacted. While multiple locations remain closed, a number of others cannot process debit and credit card transactions or accept online takeout orders.

Meanwhile, the ransom threat remains a concern for some employees who worry about hackers getting their personal information from the company's computer system. 

"There's no communication as far as what these people have and what they're doing with it," said one worker. "Do we need to be contacting our banks and stuff like that?"

Another employee said he has received no information from Recipe Unlimited about the cyberattack, and he wants more details.

"We're basically the front line for them, and we don't really know what's going on," he said. "Staff has been left in the dark."

Spokesperson Hart said the company has been in constant communication with affected restaurants and franchise owners, and employees shouldn't be worried.

"We have no indication that this limited malware incident has resulted in any data breach," she said. 

Recipe Unlimited franchises and/or operates more than 1,000 restaurants, mainly in Canada.


Sophia Harris

Business reporter

Based in Toronto, Sophia Harris covers consumer and business for CBC News web, radio and TV. She previously worked as a CBC videojournalist in the Maritimes where she won at Atlantic Journalism Award for her work. Contact:


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?