Criminals using AI to commit ransomware attacks, cybersecurity centre warns

OTTAWA – The federal cybersecurity centre warns in a new report that criminals who hold data for ransom are using artificial intelligence tools that make it easier to target their victims.

The Canadian Centre for Cyber Security’s latest outlook report says the ransomware threat in Canada “continues to increase and evolve quickly” as malicious actors adopt sophisticated tactics.

Numerous Canadian organizations, including businesses, hospitals and universities, have been held digitally hostage in recent years by cybercriminals who electronically locked their private data and demanded payment to free the files.

In some ransomware cases, cybercriminals steal sensitive data and then threaten to make it public unless the ransom is paid.

The Cyber Centre’s report, made public Wednesday, says the number of ransomware incidents known to the centre increased from 2021 to 2024.

Cyber Centre head Rajiv Gupta says in the report that ransomware is one of the most disruptive, costly and persistent challenges facing Canadian organizations of every size.

“We assess that ransomware will remain a significant threat to Canada, requiring substantial attention from Canadians in the coming years,” says the report.

The centre — part of the Communications Security Establishment, Canada’s cyberspy agency — warns that threat actors engaged in ransomware attacks have started using AI to spot vulnerabilities, develop malware, generate deepfake images and automate negotiations with victims.

AI helps criminals overcome technical barriers and a lack of resources, making it easier to target victims and demand payment, often in the form of cryptocurrency, the report says.

The centre says basic digital hygiene practices — such as regularly updating software, implementing multi-factor authentication for account access, backing up data and being cautious about phishing attempts — can help protect against cyber threats.

Canadian organizations should also take advantage of the tools available to them — such as the malware detection and analysis tool Assemblyline, developed by the Cyber Centre — to continuously monitor their networks and stay vigilant, the outlook report adds.

“Cybersecurity practices are not just an optional extension of one’s business,” the report says. “They are integral to protecting critical data and operations, and to safeguarding Canadians who are reliant on the services of organizations responsible for this data.”

Ongoing collaboration between police, the private sector and international allies will be needed to bolster understanding of threats and co-ordinate appropriate measures to address and prevent the spread of ransomware, the report says.

The cybersecurity centre warned as early as 2022 that criminals could adopt new techniques — such as threatening a target’s partners or clients — to increase their chances of receiving payment.

It noted that one cybercriminal group, which had targeted victims in Canada, was known to conduct denial-of-service attacks during payment negotiations, increasing the pressure.

The latest report says the trend toward such “multi-extortion methods” demonstrates cybercriminals’ increased sophistication and their efforts to boost both the effect of their attacks and the likelihood of victims paying the ransom.

The centre says that although most ransomware groups likely will continue to use encryption to lock down victims’ data, there is a trend toward attacks focused on stealing sensitive data as a tool of extortion.

Critical infrastructure, such as energy and water facilities, and large corporations remain attractive targets for ransomware actors, but “no organization is immune” to cyberattacks, the report says.

This report by The Canadian Press was first published Jan. 28, 2026.