February 21, 2026 Threats 13 min read

Ransomware: What Canadian Businesses Need to Know Before, During, and After an Attack

By Cybersecurity Canada Editorial Team | Published February 21, 2026

In April 2024, a ransomware attack forced London Drugs to close all 79 of its retail stores across Western Canada for over a week. The attackers demanded $25 million. The company refused to pay. In February 2024, a ransomware attack crippled roughly 80% of the City of Hamilton's network — including business licensing, property tax systems, and city phone lines. The recovery cost reached $18.3 million, and the city's cyber insurance claim was denied because multi-factor authentication had not been fully implemented at the time of the attack.

These are not isolated incidents. They are part of a pattern that is accelerating across Canada, and small and medium businesses are not exempt from it.

Ransomware in Canada: The Scale of the Problem

The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2025-2026 is unambiguous: ransomware is the top cybercrime threat facing Canada's critical infrastructure. Canadian ransomware incidents have increased by an average of 26% year over year between 2021 and 2024, and that pace is expected to continue.

Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime found that 1 in 6 Canadian businesses (16%) were impacted by a cybersecurity incident, with 13% of those identifying ransomware as the method of attack. Across all Canadian businesses, total spending on recovery from cyber incidents doubled from $600 million in 2021 to $1.2 billion in 2023.

The average ransom payout in Canada reached $1.13 million in 2023. But the ransom itself is only a fraction of the total damage — the real cost of downtime includes lost revenue, idle employees, departed customers, legal fees, and recovery expenses that can dwarf the ransom demand.

If you believe your business is too small to be targeted, consider this: the Ransomware-as-a-Service (RaaS) model has lowered technical barriers so far that attackers can rent sophisticated tools without building them. These operations scan thousands of networks simultaneously, looking for unpatched software, weak passwords, and missing multi-factor authentication. They do not check your revenue before they encrypt your files.

Canadian Incidents That Made It Real

Recent incidents show what a ransomware attack looks like in practice for Canadian organizations:

• Indigo Books & Music (February 2023) — LockBit ransomware shut down the company's point-of-sale systems, e-commerce, and all internal systems. Employee data including Social Insurance Numbers was stolen. Indigo refused to pay and reported a $26.5 million revenue decrease for the quarter.
• Toronto Public Library (October 2023) — Black Basta ransomware took down all digital services across 100 branches. Employee data going back to 1998 was stolen. The attackers demanded $10 million. The library refused to pay. Full service restoration took nearly five months.
• City of Hamilton (February 2024) — Recovery cost $18.3 million. The cyber insurance claim was denied because MFA was not fully deployed — a direct consequence of an incomplete authentication strategy.
• London Drugs (April 2024) — All 79 stores closed for over a week. The $25 million ransom demand was refused. Corporate employee data was leaked on the dark web.
• Nova Scotia Power (March 2025) — Personal and financial information of nearly 280,000 customers was exposed — roughly half of its entire customer base.

Every one of these organizations refused to pay. Every one faced months of disruption.

Before an Attack: What to Do Now

The decisions that determine whether your business survives a ransomware attack are made before it happens. Once the ransom note is on your screen, your options are already narrowed to what you prepared.

Have an Incident Response Plan (BC.1)

The single most important thing a Canadian SMB can do is have a written plan for what happens when a cybersecurity incident occurs — before one actually does. The Canadian Centre for Cyber Security's Baseline Controls designate this as BC.1, the first of the 13 fundamental control areas, because everything else depends on it.

Your plan does not need to be a hundred-page document. At minimum, it should answer:

• Who is in charge? Name a specific person (and a backup) responsible for leading the response
• Who do you call? Include contact details for your IT provider or managed security service, your cyber insurance carrier, legal counsel, and the Canadian Centre for Cyber Security (1-833-CYBER-88)
• What systems are critical? Know which systems must come back first and what data they depend on
• Where is the plan? Keep a hard copy accessible. If your network is encrypted, a plan stored only on the network is useless

The CCCS publishes a Ransomware Playbook (ITSM.00.099) that provides a detailed operational framework for prevention, response, and recovery. It is free and written for Canadian organizations.

Back Up Your Data — and Test the Backups (BC.7)

Reliable backups are the difference between a ransomware incident and a ransomware catastrophe. If you can restore your systems from clean backups, the attacker's leverage disappears.

The Baseline Controls (BC.7) require organizations to back up essential business information, store backups encrypted, and ensure recovery mechanisms actually work. The critical details are:

• Follow the 3-2-1 rule: Three copies of data, on two different types of storage, with one copy stored offline or offsite — disconnected from your network
• Test your restores regularly. A backup that has never been restored is a backup you are hoping works. Hope is not a strategy. Here are five backup assumptions that commonly fail when it matters most.
• Keep offline backups. Ransomware specifically targets connected backup systems. If your backup is always online and reachable from the same network, it will be encrypted alongside everything else.

Patch Your Systems (BC.2)

Unpatched software is one of the most common ways ransomware operators gain initial access. The CCCS prioritizes automatic patching as the second most important security action an organization can take.

Enable automatic updates for operating systems and applications wherever possible. For software that requires manual updates, establish a regular patching cadence — and do not let critical patches sit for weeks.

Enforce Multi-Factor Authentication (BC.5)

Stolen or weak credentials remain a primary way attackers get into business networks. MFA makes a stolen password insufficient on its own.

The Baseline Controls (BC.5) require MFA wherever possible, with particular emphasis on financial accounts, administrator accounts, cloud services, and senior executive accounts. The City of Hamilton's denied insurance claim makes the business case starkly clear: strong authentication is not optional, and insurers are verifying it.

Train Your People (BC.6)

Phishing remains the most common delivery mechanism for ransomware. An employee who clicks a malicious link or opens a weaponized attachment can give an attacker initial access to your network in seconds.

Invest in security awareness training that covers how to recognize phishing emails, what to do with suspicious messages, and how to report potential incidents. The Canadian Centre for Cyber Security and Get Cyber Safe offer free resources for Canadian organizations.

Restrict Access (BC.12)

Follow the principle of least privilege: employees should only have access to the systems and data they need for their role. Administrative accounts should be used only for administrative tasks — not for email or web browsing.

If ransomware compromises a user account with broad access, it can move laterally across your entire network. If that same account has only the minimum necessary permissions, the blast radius is contained.

During an Attack: What to Do When It Happens

If you discover a ransom note, encrypted files, or other signs of a ransomware attack in progress, your actions in the first hours are critical.

1. Isolate Affected Systems Immediately

Disconnect compromised machines from the network — wired and wireless. The goal is to stop the ransomware from spreading to additional systems, backup infrastructure, and shared drives. Do not power off the machines unless absolutely necessary, as forensic evidence in memory may be lost.

If you have network segmentation, isolate affected segments. If you do not, disconnect everything you can and assess which systems are still clean.

2. Activate Your Incident Response Plan

This is why the plan exists. Follow it. Contact the people listed in it. If you have cyber insurance, notify your carrier immediately — most policies require prompt notification, and late reporting can affect coverage.

3. Do Not Pay the Ransom

The Government of Canada's position is clear: "The Government of Canada does not recommend paying ransom to cyber criminals because any ransom payment fuels the ransomware model, which puts all Canadians at increased risk. There is no guarantee that cybercriminals will return your information, and your organization may be identified as a target for future cybercrime."

The data supports this guidance. Research from Sophos found that only 8% of organizations that paid the ransom recovered all of their data. Separate studies by Cybereason found that roughly 80% of organizations that paid were attacked again, with the majority hit within a year — and many were asked to pay more the second time.

In Canada, 88% of businesses hit by ransomware did not pay (Statistics Canada, 2023). Paying is not unlawful under Canadian law, but it carries significant risk: there is no guarantee of recovery, it funds further attacks, and it may violate sanctions laws if the threat actor is tied to a sanctioned entity.

4. Report the Incident

Contact the following:

• Canadian Centre for Cyber Security — 1-833-CYBER-88 (1-833-292-3788) or via My Cyber Portal
• Your local police service — File a report
• Canadian Anti-Fraud Centre — 1-888-495-8501 or via the online reporting system
• Your cyber insurance carrier — If you have a policy, notify them as early as possible

Only an estimated 5 to 10% of cybercrime is reported in Canada. Reporting matters — in the 2024-2025 fiscal year, the Cyber Centre issued 336 pre-ransomware notifications to Canadian organizations, generating an estimated $6 to $18 million in economic savings. That intelligence depends on incident reports.

5. Preserve Evidence

Do not wipe or reimage systems before forensic evidence is collected. Document what happened, when, and what you observed. Take screenshots of ransom notes. Record which systems are affected and which are confirmed clean. This evidence supports both your recovery and any law enforcement investigation.

After an Attack: Recovery and Obligations

Restore from Backups

If your backups are intact and offline, begin restoration following your recovery plan. Prioritize systems in the order you defined before the incident — typically financial systems, customer-facing services, and communications first.

Verify that the vulnerability the attacker used to get in has been patched before reconnecting restored systems. Otherwise, you are restoring into the same exposed environment.

Recovery takes longer than most businesses expect. For small businesses without documented recovery procedures, restoration typically takes days to weeks. The Toronto Public Library took nearly five months to fully restore services. Plan for this reality.

Meet Your Legal Obligations Under PIPEDA

If the ransomware attack involved personal information — employee records, customer data, financial information — it almost certainly triggers mandatory breach reporting under PIPEDA.

PIPEDA requires reporting when a breach creates a "real risk of significant harm" to individuals. Given the inherently malicious nature of ransomware and the difficulty of ruling out data exfiltration, ransomware attacks will nearly always meet this threshold.

You must:

1. Report to the Privacy Commissioner of Canada — as soon as feasible after determining the breach occurred. There is no specific number of days, but "as soon as feasible" means do not wait for a complete investigation to start reporting.
2. Notify affected individuals — tell them what happened, what information was involved, and what they can do to protect themselves.
3. Keep records — maintain records of all breaches of security safeguards for 24 months, regardless of whether they meet the reporting threshold. The Commissioner can request access to these records at any time.

Failure to report, notify, or maintain records is an offence under PIPEDA, with fines of up to $100,000 per violation.

Conduct a Post-Incident Review

Once the immediate crisis is resolved, conduct an honest review:

• How did the attacker get in? Was it a phishing email, an unpatched vulnerability, a stolen credential, or a compromised vendor?
• What worked? Did your backups hold? Did your incident response plan help? Did your team know what to do?
• What failed? Where were the gaps — in technology, in process, or in training?
• What changes are needed? Update your incident response plan, close the gaps, and test the fixes.

This review is not about assigning blame. It is about ensuring the same attack does not work twice.

What You Should Do

If your business has not prepared for a ransomware attack, here is where to start:

1. Write an incident response plan. Define who leads, who gets called, and what happens in the first hour. Print it and keep a copy accessible offline.
2. Test your backups. Perform a full test restore. If you cannot restore your critical systems from backup, fix that before anything else. Follow the 3-2-1 rule.
3. Enable MFA everywhere. Start with email, cloud services, VPN, and administrative accounts. This single control eliminates the majority of credential-based attacks.
4. Patch automatically. Enable automatic updates on all systems. For anything that cannot be auto-updated, establish a weekly review cadence.
5. Train your team. Ensure every employee can recognize a phishing email and knows how to report one. Run simulated phishing exercises.
6. Restrict access. Review who has access to what and remove permissions that are not actively needed. Separate administrative accounts from daily-use accounts.
7. Secure remote access. If employees work remotely or in a hybrid model, ensure VPN connections are secured with MFA and endpoints are managed.
8. Review your insurance. If you have cyber insurance, verify that your current security posture meets the policy's requirements — particularly around MFA. If you do not have coverage, evaluate whether it makes sense for your organization.

The Baseline Controls

Ransomware preparedness is not a single control — it spans multiple areas of the Canadian Centre for Cyber Security's Baseline Controls. The most directly relevant are:

• BC.1 — Incident Response Planning: Have a plan, assign responsibilities, include contact information for external parties and regulators, and keep a hard copy
• BC.2 — Patch Management: Enable automatic updates to close the vulnerabilities ransomware operators exploit
• BC.3 — Anti-Malware: Configure and enable anti-virus and anti-malware software with automatic updates and scanning on all devices
• BC.5 — Authentication: Implement MFA wherever possible, especially for administrative and financial accounts
• BC.6 — Security Awareness: Train employees to recognize and report threats
• BC.7 — Data Backup: Back up essential systems, encrypt backups, store them offline, and test restoration regularly
• BC.12 — Access Control: Follow least privilege to limit lateral movement if an account is compromised

These are not enterprise requirements. They are practical steps that any Canadian business can implement — and the organizations that have them in place before an attack are the ones that survive it.

Our free assessment evaluates your organization across all 13 Baseline Control areas, including the ones most critical to ransomware preparedness. It takes under 10 minutes and shows you exactly where your business stands — and where the gaps are.