Cyber Incident Victim: Canadian Nurses Association

On April 3, 2023, the Canadian Nurses Association (CNA) experienced a cybersecurity incident that impacted some of its systems. The association, which represents 460,000 nurses across various categories nationwide, confirmed the event but did not publicly classify it as a ransomware attack. The incident was brought to public attention following a tweet by Brett Callow, a threat analyst for Emsisoft, which stated the Snatch ransomware gang had listed the CNA as a victim on its data leak site. When queried about this specific claim, Alexandre Bourassa, the CNA’s public affairs lead, did not directly confirm or deny the ransomware attribution, focusing instead on the association's response measures.

The Snatch malware, associated with the incident, operates by rebooting an infected Windows computer into Safe Mode, a state in which most security software does not run. Once in Safe Mode, the malware proceeds to encrypt the victims' hard drives. This group has been operating since at least 2018. According to historical analysis by cybersecurity firm Sophos, the Snatch gang commonly gained initial access to enterprise networks through automated brute-force attacks against vulnerable, exposed services such as Windows Remote Desktop Protocol (RDP). In one documented incident from 2019, attackers successfully brute-forced the password to an administrator’s account on a Microsoft Azure server and then logged into that server using RDP.

Following initial access, the attackers' tactics involved extensive network reconnaissance and lateral movement. In the case studied by Sophos, the threat actors installed surveillance software on approximately five percent of an organization's computers, which amounted to around 200 machines. They subsequently installed several malware executables, including tools designed to provide persistent remote access to compromised machines independent of the initially breached server. The attackers also utilized a free Windows utility called Advanced Port Scanner to discover additional machines on the network to target. According to a separate April 2023 report from Gridinsoft, the actors behind Snatch typically do not exfiltrate data prior to encryption, focusing solely on the disruptive aspect of the attack.

The malware employs several techniques to ensure its success and hinder recovery efforts. It disables third-party antivirus software and also suspends Windows Defender by editing Group Policies. To prevent victims from restoring their systems from backups, the ransomware removes Volume Shadow Copies and deletes backups created with basic Windows functionality. These actions are consistent with common ransomware tactics designed to maximize pressure on victims to pay a ransom.

In response to the incident, the Canadian Nurses Association immediately launched an investigation. The organization also engaged leading third-party cybersecurity experts to assist with the response efforts. As a precautionary measure, the CNA notified the appropriate law enforcement authorities about the breach. The association stated that the incident did not impact its ongoing operations, suggesting that core business functions were maintained despite the compromise of some systems. The investigation was deemed ongoing at the time of the public statement, and the CNA declined to provide further specific details until it was complete. The association committed to working with its industry-leading partners to implement enhanced security measures to protect its systems and to prevent a similar type of incident from occurring in the future. The full scope of the systems impacted and any potential data access or exfiltration was not publicly disclosed by the CNA.