Most Canadians 'likely to encounter' cybercrime, expert says after attack on youth services organization

While the CEO of Marymound, which works with vulnerable Manitoba youth, says no data was lost in a recent ransomware attack, a national cybersecurity expert warns that 'Most Canadians are likely to encounter cybercrime activity.'

Marymound, which cares for vulnerable Manitoba kids, says 3rd-party server kept data safe in ransomware attack

Fingers type on a laptop keyboard.
Marymound — which provides services for Manitoba kids through its school, foster homes and community programs — was the target of a ransomware attack earlier this month. (CBC)

It was 4 a.m. on Feb. 15 when the attack began.

Ransomware — malicious software that infects a computer and restricts access to a system until a ransom is paid — had infected the system of an organization that cares for some of Manitoba's most vulnerable youth.

Within 90 minutes of the attack at Marymound, the social services organization's third-party IT service provider had been informed of the breach and was working to restore operations.

The cyberattack left workers at Marymound — which provides services for thousands of kids each year through its school, foster homes and community programs — unable to use their computers for days.

While it created some chaos, no ransom was paid and no private health information was stolen, said Marymound CEO Nancy Parker.

"As you can imagine, it took people offline and [they] had to do some active work they were used to doing on a computer," she said.

"It often causes extra work, work that has to be redone."

The attack on Marymound is just one of the tens of thousands of cybercrimes committed in Canada each year — a number Statistics Canada and cybersecurity experts warn is growing each year.

Parker did not divulge the ransom amount that was demanded, but an attacker generally will ask for ransom to be paid in the cryptocurrency bitcoin.

Average ransom demand is $500

According to Symantec, a U.S.-based security software provider, the average amount of ransom demanded in 2018 was about $500 US. 

Parker said because Marymound's information was backed up to an off-site server, it was secure and could be restored without paying the ransom.

Security expert Jason Besner describes ransomware as a profit-driven type of cybercrime that targets random victims, and works by casting a wide net across businesses and organizations to find vulnerabilities.

A programner shows a sample of a ransomware cyberattack on a laptop in Taipei, Taiwan in this 2017 file photo. Ransomware attacks can be sparked by opening a link or an attachment in an email. Pop-ups asking a user to 'click here' can also be embedded with malware. (Ritchie B. Tongo/EPA)

Besner is the director for threat assessment and planning at the Canadian Centre for Cyber Security, a federal organization tasked with leading the government's response to cybersecurity events.

Its 2018 assessment on national cyberthreats offered a grim look at the online dangers facing Canadians.

It predicted that this year, cybercrime will be the threat most likely to affect Canadians, as those committing ransomware and other cyberattacks increase the scale of their activities "to steal large amounts of personal and commercial data."

"Ransomware is no longer a sophisticated cybertool," the report says. "Low-sophistication cyberthreat actors can now access it as a service that they rent or purchase on cybercrime marketplaces."

Ransomware tools 'more readily available'

Ransomware is growing in popularity, as more and more people are able to access the malware used to initiate an attack at a cheaper price, he said.

"Most Canadians are likely to encounter cybercrime activity, and ransomware falls under that category more than any other online threat," Besner said.

Ransomware attacks can be sparked by opening a link or an attachment in an email. Pop-ups asking a user to "click here" can also be embedded with malware.

"Illicit online marketplaces that are sustained by this activity are making these tools more readily available, and it is lowering the bar for sophistication in order to use these tools."

If you have everything in-house and on-site, you could probably be extremely crippled [by a cyberattack].- Marymound CEO Nancy Parker

Statistics Canada released a report last year that found almost 40 per cent of cybersecurity incidents involving businesses in 2017 were an attempt to steal money or demand a ransom payment.

The agency also found that police-reported cybercrimes had increased by over 80 per cent from 2014 to 2017.

The federal government highly recommends that an individual or business does not pay ransom, as there's no guarantee you will get access to your system.

"Once you pay the ransom, the [cybercriminal] can just ask for more money," Besner said.

Instead, the person or business should seek out a reputable data recovery service to assist them.

All cybercrimes should be reported to the Canadian anti-fraud centre, he said.

Attack could have been worse: Marymound CEO

Winnipeg police also recommend reporting ransomware attacks to the centre, as these incidents are usually not restricted to one city, but often occur countrywide.

A spokesperson for the Winnipeg Police Service said it does not centrally track police-reported ransomware incidents.

Parker said she did not know what caused the Marymound attack but said in the coming weeks, a full analysis will be conducted to try to find out.

The provincial government, which funds a large portion of Marymound's budget, was informed of the incident, she said.

A spokesperson for the provincial government declined to discuss its protocol for ransomware or whether the government has been attacked, saying it does not comment on security matters.

"If government systems are affected by ransomware, we assess issues on a case-by-case basis," the spokesperson said in a prepared statement.

Although it caused some headaches, Parker says a cyberattack like the one Marymound experienced could be far worse.

"There was no corruption of our backup servers or data," she said, attributing that to Marymound's use of a third-party server.

"If you have everything in-house and on-site, you could probably be extremely crippled."


Kristin Annable is a member of CBC's investigative unit based in Winnipeg. She can be reached at