How does ransomware get into a Canadian business?

The most common entry points are phishing emails (malicious attachments or links), internet-exposed Remote Desktop Protocol (RDP), stolen VPN credentials purchased on the dark web, and unpatched software vulnerabilities. Attackers typically lurk for 21 days before triggering encryption.

Are backups enough to protect against ransomware?

No. Modern ransomware specifically seeks and encrypts backup files. Attackers also lurk for weeks before triggering encryption, meaning backups may contain dormant malware. Double-extortion ransomware exfiltrates data before encrypting, creating breach reporting obligations even with perfect backups. Immutable backups are necessary but not sufficient.

What is double-extortion ransomware?

Double-extortion ransomware exfiltrates (copies) your data to attacker-controlled servers before encrypting it. This means even if you restore from backups, attackers threaten to publish your customer data, financial records, or other sensitive information publicly — giving them leverage beyond encryption alone.

What Is Ransomware? A Canadian Business Guide

Ransomware is malware that encrypts your files and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware attacks — called "double extortion" — also exfiltrate your data before encrypting it, threatening to publish sensitive information publicly if the ransom isn't paid. The Canadian Centre for Cyber Security (CCCS) reports that Canadian businesses face 40% higher ransomware targeting rates than US counterparts, and 60% of Canadian SMBs that experience a ransomware attack close within 6 months.

How ransomware attacks work (2026)

Initial access — most commonly via phishing email (malicious attachment or link), Remote Desktop Protocol (RDP) exposed to the internet, VPN credentials purchased on the dark web, or exploitation of unpatched software vulnerabilities
Persistence and lateral movement — attackers install backdoors, steal credentials, and move laterally across the network over days or weeks before triggering encryption
Data exfiltration — in double-extortion attacks, attackers exfiltrate sensitive files to their servers before encrypting; this gives them leverage even if you have good backups
Encryption — ransomware encrypts files across all reachable drives, network shares, and cloud-synced folders (OneDrive, SharePoint), rendering them inaccessible
Ransom demand — ransom notes demand payment (typically $50,000-$5,000,000 CAD depending on business size) within 72-96 hours before the price increases or data is published

Why backups alone don't protect against ransomware

Many businesses believe backups are sufficient ransomware protection. Modern ransomware counters this assumption:

Backup encryption — ransomware specifically seeks and encrypts backup files and network-attached backup devices
Dwell time — attackers lurk in your network for 21 days on average before triggering encryption; this means backups from the past 3 weeks may contain dormant ransomware
Double extortion — even perfect backups don't prevent data being published if exfiltration occurred; businesses face regulatory reporting requirements regardless
Recovery time — restoring from backup takes days or weeks; during this time, operations are disrupted and costs accumulate

How ransomware is different from other malware

Ransomware: encrypts files + demands payment; immediate, visible impact; PIPEDA breach notification likely required
Spyware/infostealer: silently exfiltrates credentials and data; may not be noticed for months; feeds ransomware attacks by providing credentials
Botnet malware: uses infected computer as part of attack infrastructure (spam sending, DDoS); often low-profile and long-running
Wiper malware: destroys data without ransom demand; used in nation-state attacks; irreversible without immutable backups

7 controls that protect Canadian businesses from ransomware

MFA on all accounts — especially email and remote access; prevents credential-based initial access
EDR on all endpoints — behavioural detection catches ransomware before encryption completes
Email security filtering — anti-phishing, anti-malware, and safe links scanning blocks most initial access vectors
Immutable backups with tested restoration — 3-2-1-1 backup with offline or immutable copy; monthly restoration tests
Patch management — critical patches applied within 72 hours; no internet-exposed unpatched services
Network segmentation — limits lateral movement; attackers who compromise one system cannot reach everything
Security awareness training — employees who recognize phishing attacks prevent most initial access attempts

Related glossary terms

How Outsource IT Canada can help

Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
PIPEDA Compliance — privacy impact assessments and breach notification procedures
Get a free assessment — call (416) 623-9677

Ready to transform your IT? Call (416) 623-9677 for a free assessment.