Should You Pay Ransom? What Canadian Businesses Need to Know

What Ransomware Attackers Actually Want From Canadian Businesses

Modern ransomware operations targeting Canadian businesses are not the work of lone hackers — they are organized criminal enterprises, many operating with HR departments, affiliate programs, and customer-service teams dedicated to facilitating payments. Groups like LockBit, BlackCat/ALPHV, and Cl0p license their ransomware toolkits to affiliate operators who execute the attacks, splitting the ransom with the developer. The Canadian Centre for Cyber Security's 2023–2024 National Cyber Threat Assessment names ransomware as the most disruptive cyber threat facing Canadian organizations and explicitly identifies criminal groups operating from Russia, North Korea, and Iran as primary actors.

What they want is straightforward: payment in cryptocurrency, typically Monero or Bitcoin, through a payment portal hosted on the Tor network. Ransom demands sent to Canadian SMBs in 2023–2024 ranged from CA$25,000 for a two-person professional services firm to over CA$1.5 million for a mid-sized manufacturer. Coveware's 2024 Ransomware Marketplace Report showed the median demand for businesses under 100 employees settling near US$200,000 — roughly CA$275,000 at current exchange rates. Attackers have studied your sector, your revenue if public, and your cyber insurance limits (they specifically request proof of insurance to calibrate the demand higher).

The tactics have also evolved. Modern attacks follow a two-stage extortion model: attackers exfiltrate data first, then encrypt it. This means even if you restore from backup, the threat of publishing stolen client records, employee PII, or financial data on leak sites remains. Some groups now run triple extortion — adding DDoS attacks against your web presence and direct contact with your customers or suppliers as additional pressure. Understanding what you are dealing with is the first step to making a rational decision under pressure.

Canada's Official Position: Why the Government Says Don't Pay

The Government of Canada's official position on ransomware payment is unambiguous. The Canadian Centre for Cyber Security (cyber.gc.ca) states: "The Government of Canada strongly discourages paying a ransom." The RCMP's National Cybercrime Coordination Centre (NC3) echoes this in its guidance for victims, noting that payment encourages future attacks, funds ongoing criminal operations, and provides no legal guarantee of data restoration. Public Safety Canada's ransomware guidance recommends organizations focus on containment and recovery rather than negotiation.

The reasoning behind the no-pay position is grounded in measurable outcomes, not ideology. Coveware's data shows that 80% of organizations that pay a ransom are targeted again within 12 months — a direct result of appearing on internal criminal lists as "pays quickly." Payment also subsidizes the infrastructure used against other Canadian businesses, hospitals, and municipalities. The 2021 ransomware attack on Newfoundland's healthcare system — which disrupted patient records for weeks across the province — was executed by a group funded in part by ransoms paid by companies in other sectors. Your payment is not merely a private transaction; it has systemic consequences.

The CCCS asks all Canadian organizations — whether they pay or not — to report ransomware incidents to them at cccs-ccn.gc.ca. This reporting is voluntary but operationally important: it feeds the national threat intelligence picture, helps identify active campaigns, and can accelerate decryptor recovery efforts when the same group has been disrupted by law enforcement. The RCMP and CCCS can sometimes provide assistance that is unavailable through private channels, particularly when an active law enforcement operation has already targeted the specific ransomware group affecting you.

Legal and Sanctions Risk of Paying Ransomware in Canada

While paying ransomware is not categorically illegal for private Canadian businesses, it carries genuine and underappreciated legal risk. The central concern is sanctions exposure. Several major ransomware groups — including Conti (now dissolved into successor groups), Evil Corp, and individuals associated with North Korean state-sponsored operations — are designated sanctioned entities by the United States Office of Foreign Assets Control (OFAC), the European Union, or the United Kingdom's Office of Financial Sanctions Implementation. Canada's own sanctions regime under the Special Economic Measures Act (SEMA) and the Justice for Victims of Corrupt Foreign Officials Act maintains a list of designated entities administered by Global Affairs Canada.

If your ransomware attacker is a sanctioned entity — and you may not know this until forensic investigation is complete — paying them constitutes a prohibited transaction under Canadian and allied sanctions law. The fact that you did not know the recipient's identity is a mitigating factor but not a complete defense. OFAC has issued guidance acknowledging the difficult position ransomware victims face, but has also demonstrated willingness to impose civil penalties on companies that paid without adequate due diligence. A Canadian company that pays through a cryptocurrency address later traced to a North Korean state-sponsored group could face regulatory scrutiny from both Canadian authorities and, if it has US business relationships, US Treasury.

Beyond sanctions, payment creates internal legal complications. If your organization is publicly traded or operates in a regulated sector (financial services, healthcare, cannabis), the payment may trigger mandatory disclosure obligations. Directors and officers who authorize payment without legal counsel may expose the organization and themselves to liability if the decision is later scrutinized by shareholders, regulators, or insurers. The legal exposure is not hypothetical: following OFAC's 2021 Advisory on ransomware, several US companies faced enforcement action. Canadian regulators have not yet followed with equivalent enforcement, but the trend is clear. Engage legal counsel before any payment decision.

Why Ransomware Payments Frequently Fail

The ransomware criminal ecosystem makes implicit promises it regularly fails to keep. Payment is no guarantee of full data recovery — and the failure modes are numerous and costly. Coveware's 2024 analysis of cases where organizations paid found that while approximately 96% received some form of decryption key, only about 60% successfully recovered all of their encrypted data. The gap matters enormously: a dental practice that paid CA$180,000 in ransom but recovered only 70% of its patient records still faces the cost of reconstructing the remainder, notifying patients, and managing regulatory obligations — on top of the ransom itself.

The technical reasons decryptors fail include: rushed or buggy decryption software that corrupts files during the decryption process; encryption of files that were also open or in use at time of attack, leaving them partially overwritten; database corruption when encryption interrupted a write mid-transaction; and attacker infrastructure going offline between payment confirmation and decryptor delivery, particularly when the affiliate operator takes the money and disappears. Some ransomware variants encrypt with deliberate irreversibility — designed as pure sabotage by nation-state actors — with no functional decryptor ever created. In these cases, the ransom note is theater: there was never going to be a way to restore the files.

The second extortion dimension compounds this. In double-extortion attacks — which represent the large majority of incidents against Canadian SMBs in 2023–2024 — payment of the encryption ransom does not resolve the data leak threat. Attackers operate separate negotiation tracks for the stolen data, and paying one does not guarantee the other is resolved. Coveware documented multiple cases where Canadian organizations paid both ransoms and still found their data published on criminal leak sites within 90 days. Criminal groups that steal and sell data to multiple parties cannot "un-sell" it even if they wanted to fulfill their promise. The leverage they hold after payment is real; yours is not.

What a Ransom Demand Actually Costs a Canadian SMB

The ransom figure in the demand is only the starting point of the true cost of paying. The table below lays out the full cost landscape — both for paying and for not paying with a clean backup — based on 2024–2025 Canadian incident response data from Coveware, the Insurance Bureau of Canada, and publicly reported Canadian incidents.

The single most important variable in the table above is whether you have a tested immutable backup. A business with a clean backup less than 24 hours old, stored offline or in immutable object storage, reduces its total incident cost by 60–80% compared to a business that pays the ransom. The backup scenario does not require paying anything — and recovery time is measured in days rather than weeks. The no-backup, no-pay scenario is genuinely the worst outcome: full forensic reconstruction of data is expensive, slow, and often incomplete. The table makes the economic case for backup investment far more clearly than any percentage argument: preventing this incident from being the no-backup scenario is worth CA$150,000–$360,000 in avoided cost.

The Recovery Path: How Canadian Businesses Escape Ransomware Without Paying

Recovery without payment follows a structured process that is well-understood by Canadian incident response teams. The critical enabler is backup quality — specifically, whether you have an immutable offline copy of your data that predates the attack. Modern ransomware operators specifically target and destroy online backup repositories before triggering the visible encryption event. Backups attached to the same Windows domain, the same Microsoft 365 tenant without immutability configured, or accessible via SMB share on the same network are frequently encrypted alongside production data. If that is your situation, recovery options narrow significantly and costs escalate.

If your backups are intact, recovery follows a defined sequence. Containment comes first: isolating every affected machine from the network stops lateral spread and preserves forensic state. Investigation determines the scope — which systems are affected, which are clean, and what the attacker's entry point was. Eradication removes the ransomware and any persistence mechanisms (scheduled tasks, registry keys, implanted accounts) the attacker left behind. Restoration rebuilds systems from the clean backup set, verifying data integrity before reconnecting to the network. Hardening closes the entry point and adds controls to prevent recurrence. For businesses that have never tested their backup restore, the recovery phase reveals surprises — which is why quarterly restore drills matter before the incident occurs.

For businesses that need hands-on support during an active incident, IT Cares provides ransomware containment and data recovery across Canada — including forensic imaging of affected systems before any restoration begins, which preserves evidence for potential RCMP reporting and insurance claims. Professional incident responders bring tooling and experience that compress the investigation and restoration timeline significantly compared to an internal IT team managing their first breach while running the business simultaneously.

The free decryptor route is also worth checking before any payment decision. The No More Ransom project (nomoreransom.org), co-founded by Europol and industry partners, maintains a growing database of free decryptors for ransomware variants where law enforcement has seized attacker infrastructure and recovered master keys. As of mid-2026, the project offers free decryptors for over 170 ransomware families. Submit a sample of your encrypted files and ransom note to Crypto Sheriff (on the same site) before concluding that decryption requires payment. Law enforcement takedowns of major ransomware groups periodically release new decryptors — the Hive ransomware FBI disruption in 2023 enabled free recovery for hospitals and businesses globally, saving an estimated US$130 million in avoided ransoms.

Step-by-Step: The First 72 Hours After a Ransomware Attack

The first 72 hours of a ransomware incident are the most consequential. Decisions made in the first 30 minutes shape the eventual recovery cost and regulatory posture. The sequence below is based on the CCCS Cyber Incident Management guidance and Canadian incident response practice. Read this before an incident — the clarity disappears at 2 AM when the ransom note appears.

1. Isolate immediately. Disconnect affected machines from the network — pull Ethernet cables, disable Wi-Fi. If you can identify the blast radius, segment it. Do not power off machines blindly: live memory may contain the encryption key or attacker evidence. Photograph the ransom note on your screen before touching anything.
2. Identify and preserve. List every affected system, every clean system, and every system with uncertain status. Screenshot or photograph error messages, ransom notes, and any unusual files. Do not modify, delete, or wipe any affected system before forensic imaging — insurance and RCMP reporting may require it.
3. Call your IR team. Your MSP's emergency line, your cyber insurer's breach hotline, or a dedicated incident response provider. Do not attempt to negotiate or contact attackers without professional guidance. Canadian incident response providers can be on-call remotely within minutes and on-site within hours in most major cities.
4. Notify your insurer. Call your cyber insurance provider within the first two hours. Most policies require prompt notification. The insurer will assign a panel counsel and IR firm — understand your policy before you need it, because some require you to use their preferred vendors or forfeit coverage.
5. Engage legal counsel. Your insurance panel counsel or your own lawyer with cybersecurity experience. They need to assess sanctions exposure before any payment is considered, advise on privilege protection for your internal communications, and begin mapping your regulatory reporting obligations.
6. Assess backup integrity. Your IR team will check whether your backup repositories were reached and encrypted. This is the pivotal finding: clean backups change the decision calculus entirely. Do not assume backups are intact until they are confirmed readable and restorable by an independent check.
7. Submit to No More Ransom. Upload encrypted file samples and the ransom note to nomoreransom.org's Crypto Sheriff tool. If a free decryptor exists for your variant, this eliminates the payment question entirely.
8. Begin PIPEDA/Law 25 clock assessment. Determine whether personal information was accessed or exfiltrated. If so, the 72-hour Law 25 clock (for Quebec-resident data) starts from the time you became aware. Your legal counsel will advise on the reporting threshold for OPC under PIPEDA.
9. Do not pay without completing steps 1–8. A decision made before backup assessment, before sanctions screening, and before insurer notification is a decision made with incomplete information under maximum attacker pressure. That is exactly when the worst decisions happen. The ransom deadline in the note is a negotiating tactic, not an immovable constraint — response times typically extend when you engage a professional negotiator if payment ultimately becomes necessary.
10. Report to the CCCS and RCMP. File a report at cyber.gc.ca and contact the RCMP's NC3. This is voluntary but operationally valuable — intelligence shared early can contribute to an active law enforcement operation against the group targeting you, and may result in intelligence back to your IR team that assists recovery.

Backup Readiness Is the Entire Decision

The ransomware payment decision reduces almost entirely to a single variable: do you have a clean, tested, immutable backup that was not reached by the attack? If yes, the decision is straightforward — engage professional recovery, restore from backup, report as required, harden the environment. If no, the decision becomes genuinely difficult, and the cost comparison shifts. This is why the backup investment discussion must happen before the incident, when logic is available and stakes are abstract.

The three failure patterns that eliminate the "yes, we have backups" option from the decision are: backups stored on the same network as production systems (encrypted along with everything else), backups that have never been test-restored (green checkmarks on a dashboard are not confirmed restores), and backup retention too short to predate the attacker's dwell time. Modern ransomware operators often remain dormant in a network for 14–60 days after initial access — establishing persistence, mapping the environment, and identifying backup repositories — before triggering the encryption event. If your backup retention is 7 days, an attacker who entered 30 days ago has already ensured your clean backups are outside the retention window before you know you were breached.

Immutable backups stored in a separate cloud account with object-lock technology — preventing any account, including the backup account itself, from deleting or modifying snapshots for a defined retention period — are the specific capability that defeats this attack pattern. Azure Blob immutability, Wasabi Object Lock, and AWS S3 Object Lock all support this model. Minimum recommended retention for Canadian SMBs is 30 days for daily snapshots and 90 days for weekly snapshots, based on known ransomware dwell times. The business data backup and DR guide covers the full implementation architecture with Canadian cloud provider pricing. Running a quarterly restore drill — verify the backup is actually restorable, measure the time to restore, document the result — is the only way to know with confidence before you are in crisis.

Anonymized Canadian SMB Case Studies

Three scenarios drawn from Canadian incident response cases in 2023–2024. Details have been generalized to protect the organizations involved. These outcomes are typical of their respective backup postures.

Case A — Calgary accounting firm, 18 employees, paid and regretted it. The firm was hit on a Thursday evening. The ransom note demanded CA$220,000 in Bitcoin. The partner in charge, unable to reach their IT provider's after-hours line, paid the ransom by Saturday morning without legal consultation or insurer notification. The decryptor was provided but corrupted approximately 30% of client files, including active tax files. Full data reconstruction required three weeks of manual work. The cyber insurer denied the ransom coverage claim because the policy required pre-authorization, which was never obtained. Total cost including the ransom, legal fees for insurer dispute, IT rebuild, and client notifications: CA$490,000. The firm was targeted again eight months later.

Case B — Halifax dental practice, 6 employees, recovered without paying. An encrypted workstation appeared on a Monday morning. The dentist called their MSP's emergency line at 7:45 AM. By 9 AM, three affected workstations were isolated and a forensic review confirmed backups in immutable Azure Blob storage were intact — the most recent snapshot was 11 hours old. Malware was eradicated by noon. Restoration from backup was complete by 5 PM. The practice was operational the next morning with one day of rescheduled appointments. Total incident cost: CA$8,200 in MSP emergency response fees. PIPEDA reporting was not triggered because no patient data was confirmed exfiltrated. The entry point — an unpatched VPN appliance — was patched during the IR engagement.

Case C — Ontario logistics company, 45 employees, no backup, did not pay, severe outcome. The company discovered the attack on a Monday. Their IT manager found that the on-premises NAS backup drive had been encrypted alongside production systems. Cloud sync (Microsoft OneDrive) had propagated the encryption to cloud copies within hours of the attack. No immutable backup existed. The company chose not to pay on principle. Full data reconstruction from emails, PDFs, and client records shared externally took six weeks. Three key customer contracts were lost during the downtime. One customer filed a PIPEDA complaint. Total cost: CA$380,000 including lost contracts, IT rebuild, and regulatory response. The company survived but with lasting operational damage.

Pay vs. Recover: Side-by-Side Outcome Comparison

The comparison below consolidates outcomes across the three decision paths for a typical Canadian SMB. Use it to structure the conversation with your legal counsel and insurer in the first hours of an incident.

The Decision Framework: When Payment Might Be Considered

The default answer is do not pay. But incident response practitioners, not politicians, live in the space where absolutes collide with business reality. There is a narrow set of circumstances where payment consideration is rational — and even then, it requires a structured process, not a panic-driven wire transfer. The framework below reflects how experienced Canadian IR professionals actually advise clients, as distinct from the necessary simplicity of public government guidance.

Payment is worth considering only when all of the following are true: (1) Backup assessment by your IR team has confirmed no usable clean backup exists — not "backups are present" but "we tested restoration and it fails or the data predates the attack by more than 30 days." (2) Manual data reconstruction is not viable within your business's survival timeline — e.g., patient care data that cannot be reconstructed from other sources, or the reconstruction cost exceeds the ransom. (3) Legal counsel has completed a sanctions screening and confirmed the specific ransomware group is not on Canadian, US, UK, or EU designation lists. (4) Your insurer has been notified and has pre-authorized the payment. (5) A professional negotiator — not your in-house staff — will conduct any communication with the attackers, which typically reduces the demanded amount by 30–70% and improves the probability of a functional decryptor.

Even when all five conditions are met, payment is the last resort. It is worth investing another 24–48 hours in the No More Ransom database, in checking whether law enforcement has an active operation against the group, and in exploring partial data recovery from external sources (client emails, cloud-shared files, CRA tax submissions, banking records) before authorizing any transfer. The decision framework is a sequential checklist, not a binary choice — most organizations that work through it systematically discover they have more recovery options than the initial panic suggested.

How Cyber Insurance Handles Ransomware in Canada

The Canadian cyber insurance market has evolved significantly since the ransomware surge of 2020–2022. Premiums rose 50–100% in that period; the market subsequently stabilized but with substantially higher underwriting requirements. As of 2025–2026, most Canadian cyber insurers require documented evidence of MFA, EDR, and tested backups before issuing a policy at a reasonable premium — and many include exclusions or co-insurance provisions that activate if those controls were misrepresented at application.

For ransomware incidents specifically, policies typically cover: ransom payment (subject to pre-authorization), business interruption losses during downtime, forensic investigation and IR costs, legal fees for breach notification compliance, regulatory fines (in some policies), and crisis communications. The Insurance Bureau of Canada's 2024 guidance notes that policies typically exclude ransom payments to sanctioned entities, payments made without insurer notification, and incidents where the business misrepresented security controls at application.

The critical practitioner insight is this: your insurer is not an adversary in a ransomware incident. They have a financial interest in minimizing total payout, which aligns with your interest in the lowest possible total cost. Insurers with strong vendor panels can deploy experienced IR teams, legal counsel with ransomware experience, and professional negotiators within hours — at no marginal cost to you within policy limits. Calling your insurer first (or simultaneously with your IR provider) typically produces better outcomes than going it alone. However, the insurer's interest in minimizing ransom payment is not always the same as your interest in the fastest data recovery — understand that tension when evaluating their recommendations.

Businesses without cyber insurance should evaluate the managed security services options that bundle basic incident response coverage, and should speak with a Canadian cyber insurance broker before the next renewal cycle. A security assessment typically improves your insurability and reduces your premium enough to partially offset the assessment cost within the first policy year.

PIPEDA and Law 25 Breach Reporting After Ransomware

Ransomware incidents almost always trigger mandatory breach reporting obligations under Canadian privacy law — whether you pay the ransom or not. The reporting obligation is not contingent on the payment decision; it is triggered by whether personal information was compromised with a real risk of significant harm to the individuals affected. The encryption of a server containing employee records, client PII, or payment card data almost certainly meets this threshold.

Under federal PIPEDA (Personal Information Protection and Electronic Documents Act), organizations must report to the Office of the Privacy Commissioner of Canada (priv.gc.ca) as soon as feasible after determining a breach poses a real risk of significant harm. The OPC's guidance suggests 72 hours as a reasonable target, though the legislation uses "as soon as feasible" language. You must also notify affected individuals directly and maintain an internal record of all breaches regardless of whether external reporting is required.

Quebec's Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels) imposes a hard 72-hour reporting deadline to the Commission d'accès à l'information (CAI) at cai.quebec.ca when a confidentiality incident presents a risk of serious injury to the persons concerned. The CAI must also be notified before affected individuals in cases where the notification itself might create an additional risk. Failure to report within 72 hours under Law 25 carries penalties up to CA$25 million or 4% of worldwide turnover — among the most significant data protection penalties in Canadian law.

For organizations operating in regulated sectors — financial services (OSFI guidance), healthcare (provincial college requirements), and cannabis (Health Canada) — additional sector-specific reporting obligations layer on top of privacy law requirements. The Law 25 compliance guide covers Quebec-specific obligations in detail. The key operational point is that the legal clock starts when you become aware of the incident, not when investigation is complete — begin the reporting process concurrently with technical response, not after.

24-Hour Response Checklist

This checklist is designed to be printed and kept in a physical binder alongside your incident response plan — accessible when systems are unavailable. Review it annually and update contact details when they change.

• Isolate affected machines — pull Ethernet cables, disable Wi-Fi, do not power off
• Photograph ransom note and any unusual screens before touching anything
• Identify which systems are affected vs. clean — document the list
• Call your MSP or IR provider emergency line (have this number in your phone, not only in email)
• Call your cyber insurer breach hotline — pre-authorization of any ransom payment is mandatory
• Call legal counsel — begin sanctions screening immediately if payment is being considered
• Check No More Ransom (nomoreransom.org) — free decryptor may already exist for your variant
• Do NOT pay, negotiate, or contact attackers without professional guidance
• Confirm backup integrity with IR team — are repositories clean and restorable?
• Report to CCCS at cyber.gc.ca and RCMP NC3 — document report timestamps
• Begin PIPEDA/Law 25 clock assessment — identify personal data at risk
• Preserve all logs, ransom notes, and attacker communications as evidence
• Do NOT rebuild or wipe systems until forensic imaging is complete
• Brief leadership on status — designate a single spokesperson for external communications
• Prepare draft customer notification with legal counsel review before sending
• Document every action taken with timestamps — this record matters for regulatory response and insurance claims

Frequently Asked Questions