Under the new Technology and Cyber-Security Reporting Advisory, financial institutions must report incidents within 24 hours in writing. Here is a list of examples of reportable incidents:
| Scenario Name | Scenario Description | Impact |
|---|---|---|
| Cyber Attack | Account takeover botnet campaign is targeting online services using new techniques, current defenses are failing to prevent customer account compromise | High volume and velocity of attemptsCurrent controls are failing to block attackCustomers are locked outIndication that customer account(s) or information has been compromised |
| Service Availability & Recovery | Technology failure at data center | Critical online service is down and alternate recovery option failedExtended disruption to critical business systems and operations |
| Third-Party Breach | A material third party is breached, FRFI is notified that third party is investigating | Third party is designated as material to the FRFIImpact to FRFI data is possible |
| Extortion Threat | FRFI has received an extortion message threatening to perpetrate a cyber attack (e.g., DDoS for Bitcoin) | Threat is credibleProbability of critical online service disruption |
Extortion threats come in different forms and shapes. Here is a list of the most commonly found types in Canada:
| CRYPTO LOCKER | Ransomware created by Russian cybercriminal Evgeniy Bogachev in 2013, considered the first modern ransomware variant, distributed by the GameOverZeus malware, whose operators included Bogachev and Evil Corp members. |
| EVIL CORP | A Russia-based organized cybercriminal group responsible for the Dridex malware and multiple ransomware campaigns since 2015. In December 2019, Evil Corp members were indicted and sanctioned by the US for their ongoing cybercriminal activities and for providing assistance to a Russian intelligence service. |
| FIN6 | An organized cybercriminal group, likely Russian-speaking, reportedly linked to multiple Ryuk and Megacortex infections since 2018, but active since 2015. |
| MAZE | A ransomware variant whose operators are known to leak victim data for non-payment. Active since at least November 2019. |
| MEGA CORTEX | A ransomware variant discovered in 2019 observed targeting Industrial Control Systems processes, reportedly linked to Trickbot and FIN6 operations. |
| RYUK | A ransomware variant known to target large enterprises, hospitals and critical infrastructure and demand extremely large ransoms. Active since August 2018. Ryuk is affiliated with multiple Russian-speaking cybercriminals, including the operators of Trickbot. |
| SAMSAM | A ransomware variant used by Iranian cybercriminals that compromised multiple municipalities, hospitals, universities, and businesses in Canada, the US, the UK, and other countries primarily during 2015-2018. |
| SODINOKIBI | A ransomware variant, whose Russian-speaking developers hire other cybercriminals to distribute and deploy their ransomware. |
| TRICKBOT | A banking trojan used to steal financial data and online banking credentials. Trickbot is affiliated with multiple Russian-speaking cybercriminals and is a primary distributor of the Ryuk ransomware. |
https://cyber.gc.ca/sites/default/files/publications/Modern-Ransomware-Sept2020-CCCS-TLPWHITE-en.pdf