Key Ransomware Variants In Canada

Under the new Technology and Cyber-Security Reporting Advisory, financial institutions must report incidents within 24 hours in writing. Here is a list of examples of reportable incidents:

Scenario NameScenario DescriptionImpact
Cyber AttackAccount takeover botnet campaign is targeting online services using new techniques, current defenses are failing to prevent customer account compromiseHigh volume and velocity of attemptsCurrent controls are failing to block attackCustomers are locked outIndication that customer account(s) or information has been compromised
Service Availability & RecoveryTechnology failure at data centerCritical online service is down and alternate recovery option failedExtended disruption to critical business systems and operations
Third-Party BreachA material third party is breached, FRFI is notified that third party is investigatingThird party is designated as material to the FRFIImpact to FRFI data is possible
Extortion ThreatFRFI has received an extortion message threatening to perpetrate a cyber attack (e.g., DDoS for Bitcoin)Threat is credibleProbability of critical online service disruption

Extortion threats come in different forms and shapes. Here is a list of the most commonly found types in Canada:

CRYPTO LOCKERRansomware created by Russian cybercriminal Evgeniy Bogachev in 2013, considered the first modern ransomware variant, distributed by the GameOverZeus malware, whose operators included Bogachev and Evil Corp members.
EVIL CORPA Russia-based organized cybercriminal group responsible for the Dridex malware and multiple ransomware campaigns since 2015. In December 2019, Evil Corp members were indicted and sanctioned by the US for their ongoing cybercriminal activities and for providing assistance to a Russian intelligence service.
FIN6An organized cybercriminal group, likely Russian-speaking, reportedly linked to multiple Ryuk and Megacortex infections since 2018, but active since 2015.
MAZEA ransomware variant whose operators are known to leak victim data for non-payment. Active since at least November 2019.
MEGA CORTEXA ransomware variant discovered in 2019 observed targeting Industrial Control Systems processes, reportedly linked to Trickbot and FIN6 operations.
RYUKA ransomware variant known to target large enterprises, hospitals and critical infrastructure and demand extremely large ransoms. Active since August 2018. Ryuk is affiliated with multiple Russian-speaking cybercriminals, including the operators of Trickbot.
SAMSAMA ransomware variant used by Iranian cybercriminals that compromised multiple municipalities, hospitals, universities, and businesses in Canada, the US, the UK, and other countries primarily during 2015-2018.
SODINOKIBIA ransomware variant, whose Russian-speaking developers hire other cybercriminals to distribute and deploy their ransomware.
TRICKBOTA banking trojan used to steal financial data and online banking credentials. Trickbot is affiliated with multiple Russian-speaking cybercriminals and is a primary distributor of the Ryuk ransomware.