Cyber Incident Victim: Remax Kelowna
Date:
Feb 2021
Location:
Canada
Summary
A British Columbia real estate agency experienced a ransomware attack claimed by the Conti group, which listed the organization as a victim and purported to have exfiltrated 15 files. The company initially believed the rapid containment of the incident prevented data theft or system encryption, stating it received no ransom demand. However, attackers successfully accessed limited data, with the breach's full scope only confirmed after external notification. The incident mirrored another case where no ransom was demanded despite confirmed intrusion, highlighting discrepancies between attacker claims and victim assessments of compromise severity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2021, the Conti ransomware group publicly listed ReMax Kelowna, a British Columbia-based real estate agency, as a victim on its leak site. The group claimed responsibility for a cyberattack against the company and provided evidence by disclosing the names of 15 files allegedly exfiltrated during the incident. This public disclosure occurred before ReMax Kelowna itself had confirmed any data compromise. Company representatives, including Lyle Redman, initially believed the attack had been contained rapidly enough to prevent significant data loss or operational disruption. Redman stated that their systems were never locked down by the attackers and that no ransom demand was received, contrasting with typical ransomware incidents where encryption occurs alongside extortion demands. The organization became aware of the data theft only after media inquiries alerted them to Conti’s claims, indicating a gap in their initial incident assessment.
The attack’s primary confirmed impact was the unauthorized access to and exfiltration of at least 15 files, though the specific content and sensitivity of these files were not detailed in available reports. ReMax Kelowna’s response focused on rapid containment, with Redman emphasizing that their team shut down the intrusion quickly to limit further access. This swift action prevented system-wide encryption, which would have halted business operations, but did not entirely block data exfiltration. The company did not publicly confirm whether the stolen files contained client information, proprietary data, or other sensitive materials. No subsequent reports detailed financial losses, legal actions, or recovery costs tied to the incident. The absence of a ransom demand and encryption phase marked this as an atypical ransomware case, aligning it more closely with pure data-theft incidents than traditional ransomware lockouts. Conti’s motivations remained unclear, as the group neither escalated its threats nor released additional data beyond the initial file list disclosure.