Skip to main content
  • Cybersecurity

The state of ransomware in Canada

By Eric Brynaert
Product Marketing Manager

CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the fourth blog post in a series of five for 2022.

What do a small town in Ontario, a plastics manufacturing firm in Winnipeg, an arts centre in PEI, and a fighter jet training company in Montreal have in common? They were all victims of a ransomware attack over the last several months.

As these and many other Canadian organizations can attest, ransomware attacks are devastating. In addition to the cost of paying ransom to decrypt their data, or to prevent it from being published on the internet, organizations typically face significant operational disruption that leads to lost productivity and lost revenue. Many victims also take a hit to their reputation as customers, employees and others question whether the organization is capable of safeguarding their data and fending off future attacks.

The findings from the 2022 CIRA Cybersecurity Survey shed new light on the state of ransomware in Canada and the steps Canadian organizations are taking to combat it.


Canadian organizations in all sectors being victimized by ransomware

In keeping with global trends, ransomware attacks in Canada are widespread and hurting organizations across all sectors. Overall, 22 per cent of organizations indicate they were the victim of a successful ransomware attack in the past 12 months, up from 17 per cent in 2021. Private sector organizations reported the highest percentage of ransomware attacks at 24 percent, followed by 22 per cent in the public sector and 19 per cent in the MUSH (municipalities, universities, school boards and hospitals) sector.

Among those that experienced a ransomware attack, seven out of ten indicated that their data was stolen or “exfiltrated” by their attackers, either from their corporate network or a cloud-based service.

A substantial majority of organizations opted to pay the ransom demands

Most security experts, including the Canadian Centre for Cyber Security, recommend against paying ransom to threat actors for a variety of reasons. For one thing, just because you pay the money doesn’t mean you’ll get access to your data, and even if you do, there’s no guarantee that your attacker won’t leak your data at some future date. Researchers at Palo Alto networks found that 14 per cent of ransomware victims paid cyber criminals more than once.

Despite this, a substantial majority of organizations (73 per cent) in the CIRA survey said they paid their attackers in an attempt to resume normal business operations as quickly as possible, up from 69 per cent in 2021.

This willingness to pay was most pronounced in the private sector with 77 per cent choosing to yield to their attackers’ demands, compared to 59 per cent of public sector organizations and 60 per cent of MUSH sector organizations. This difference may suggest that private businesses are more likely to have the funds to pay and the ability to make the decision to do so more quickly than their counterparts in other sectors.

How much did Canadian ransomware victims pay? The survey findings give us some new insight into that as well. The largest share of organizations, 28 per cent, paid between $25,000 and $50,000, according to the CIRA survey results, while 15 per cent admitted to paying $100,000 or more. Furthermore, the estimated average ransomware payment by Canadian organizations is $60,000.

The high rate of ransom payments is no doubt on the minds of insurance companies that offer cybersecurity insurance. Canadian organizations already have a high bar to meet to qualify for this kind of coverage, but if this trend continues it will likely raise the bar even higher.

Taking steps to prevent ransomware attacks

The CIRA survey results underscore the extent of the threat that ransomware attacks pose to Canadian organizations. They also point to the importance of prevention: by the time you’re aware that you’ve fallen prey to this type of attack, you have very few options for coming out of it unscathed.

According to numerous industry research studies, phishing and malicious emails remain the main vector of infection for ransomware. Ensuring that your organization is protected from phishing and other forms of malware by effective cybersecurity solutions is essential for preventing ransomware.

Having a cybersecurity response plan and providing your employees with effective cybersecurity awareness training are also critical steps you can take to reduce the risk of ransomware attacks. No matter how good your security protection is, it’s inevitable that some phishing emails will find their way into your employees’ inboxes. And when they do, your entire team needs to be able to identify them and know how to take the appropriate corrective action to neutralize the threat.


If you’re looking for enterprise-level protection from ransomware and other malicious threats to your organization, check out the CIRA DNS Firewall.

About the author
Eric Brynaert

Eric is a Product Marketing Manager with CIRA Cybersecurity Services. His background in digital marketing has led him to appreciate the vital role data plays for Canadian organizations and individuals, and the need to keep it safe. Eric has an MBA in International Business from Sup de Co La Rochelle.