The Canadian Ransomware Paradox: Why Two Surveys Disagree on Payment

Two of the most-cited Canadian ransomware statistics flatly contradict each other.

Statistics Canada, reporting on 2023 data released in October 2024, says that 88% of Canadian businesses hit by ransomware did not pay. The Canadian Internet Registration Authority, in its 2025 Cybersecurity Survey, says that 74% of victims paid the ransom. The figures are 62 percentage points apart. They were collected within roughly the same window. Both are published by credible Canadian institutions. Both are widely quoted in board decks, insurance underwriting reviews, and incident response tabletops.

Both are correct.

That's not a hedge. The gap between the two numbers isn't a survey error or a methodology dispute. It's a measurable consequence of who each survey asked, and it carries a useful operational signal for any organization deciding how to invest in resilience before an attack lands. Reading the two numbers together tells a far more honest story than either tells alone.

See the paradox visualized

The interactive widget at stats.truvocyber.com/canadian-ransomware-paradox lets readers move between the two survey populations and see how the same underlying reality produces two different headline numbers. The rest of this article walks through the data, the surrounding case evidence, and what it implies for incident response posture.

Why "88% don't pay" is correct

Statistics Canada's 2023 cycle of the Canadian Survey of Cyber Security and Cybercrime is the broadest economy-wide measurement Canada produces on this question. The release in The Daily on October 21, 2024 reports a final sample of 12,462 enterprises with a 71% response rate. The frame is enterprises with 10 or more employees across nearly every sector of the economy, with public administration excluded. Sole proprietors and microbusinesses with fewer than 10 employees are out of scope, but otherwise this is as close to a representative cross-section of Canadian commerce as any single dataset gets.

Of the businesses that experienced a ransomware incident, 88% did not make a ransom payment. The framing matters. This is the mid-sized and larger Canadian economy, weighted toward the median rather than the dramatic. It includes a manufacturing firm in Saint John, a regional auto-parts distributor in Brampton, a mid-sized law office in Calgary, an agricultural co-op in southern Saskatchewan, and thousands like them. In that population, refusing to pay is not the brave outlier. It is the modal response.

Three structural reasons explain why the broad-economy non-payment rate is so high. First, much of the ransomware activity hitting the wider commercial economy uses commodity tooling against commodity targets, with disruption that's serious but recoverable from offline backups and clean rebuilds. Second, sectors like manufacturing, distribution, and trades carry less acutely sensitive data than healthcare or financial services, so regulatory pressure to capitulate is lower. Third, smaller operations often don't have the cash to negotiate a six-figure payment within an attacker's timeline, and the decision gets made by default rather than deliberation.

The StatCan number is real. It describes the entire mid-and-larger Canadian economy, and the dominant outcome in that economy is non-payment.

Why "74% do pay" is correct

CIRA's 2025 Cybersecurity Survey draws from a very different well. Strategic Counsel fielded the survey in August 2025 to roughly 500 cybersecurity decision-makers across Canada. Of the 24% of respondents whose organizations had been hit by ransomware, 74% reported paying. Within that same cohort, 74% had data exfiltrated.

That sample is not the broad Canadian economy. By design, it's the cohort of organizations mature enough to staff a person whose job title says cybersecurity decision-maker. Those organizations tend to share a profile: they hold sensitive data, they operate under regulatory pressure, they sell into customers that demand documented controls, and the cost of a multi-day outage is measured in seven figures or more. They're also the firms whose attack surface is mapped, scanned, and monitored often enough that intrusions get caught and named, which is one reason the incidence rate within this cohort is so high.

When ransomware hits an organization in that profile, the calculus shifts. Operational downtime imposes contractual penalties under SLAs. Regulatory clocks start running under PIPEDA, PHIPA, or Law 25 the moment exfiltration is suspected. Customer notification requirements compound. The cost of refusing to pay starts to look comparable to, or worse than, the ransom itself, especially when the attacker has data and threatens publication.

The CIRA number is also real. It describes the cohort of Canadian organizations with named cybersecurity programs, and within that cohort, payment is the dominant outcome.

The two numbers don't disagree about Canadian ransomware. They describe two different populations responding to the same threat from very different starting positions.

When Canadian businesses do pay, what do they pay?

This is the one place the two surveys converge, and the convergence is illuminating.

Among StatCan's broader sample, 84% of payers paid less than $10,000. Re-expressed as a share of all ransomware victims, that's roughly 10% of the total. The middle band of payers, those paying between $10,000 and $500,000, works out to roughly 1.5% of all victims. The tail, those paying more than $500,000, represents about 0.5% of all victims. Re-expressing StatCan's share-of-payers figures as share-of-all-victims is derived math, not a directly quoted figure, and the original framing is worth keeping in view: 84% of payers stayed under $10,000.

In CIRA's cohort, the numbers shift sharply upward. The most common payment band is $25,000 to $50,000, capturing 28% of payers, and 15% reported paying $100,000 or more. Phrasing matters: most common is not median, and the survey reports modal bands rather than means. The direction is unambiguous though. Payments inside CIRA's mature-program cohort cluster at roughly an order of magnitude higher than the modal payment in StatCan's broader economy.

The two distributions don't actually disagree about ransom economics. They show that the size of the ransom an attacker can extract scales with the value of what's being held hostage, and that the StatCan and CIRA cohorts hold hostage data of very different value. A welding shop in Lethbridge with quotes and customer addresses on a desktop is not negotiating from the same position as a clinical lab with three terabytes of patient records and a regulatory notification clock running.

The same underlying market produces both distributions. Reading them together gives a more honest sense of how Canadian ransomware works than either gives alone.

The ransom is rarely the largest line item

Whatever an organization pays or refuses to pay in the heat of an incident, the financial outcome is shaped far more by what happens afterward. Public Canadian breach cases make the asymmetry plain.

The pattern is consistent. The ransom decision dominates the headlines, but it's typically a small fraction of the total cost picture. Class action exposure, regulatory investigation, lost business, and recovery operations are where the dollars actually accumulate.

Whether you pay is mostly determined before the attack

If the cost of an incident is dominated by what comes after the ransom decision, the obvious question is whether organizations have any leverage on the upstream variables. They do, and the lever is much earlier in the timeline than most teams think.

Two factors move an organization from the high-pressure-to-pay quadrant into the able-to-refuse quadrant: backup posture and data sensitivity. The second is largely structural, an artifact of what business the organization is in. The first is fully within the organization's control, and it's where the gap between the StatCan cohort and the CIRA cohort tends to open up.

Backup posture is not we have backups. It's whether backups are immutable or air-gapped from the production environment, whether the restore process has been exercised against ransomware-style scenarios within the last twelve months, whether the organization knows its actual recovery time objective rather than the one written in a policy nobody has tested, and whether key personnel can find the runbook at 2:00 AM on a long weekend. Most organizations that get hit and pay have backups. They don't have backups they can confidently restore from inside the window the attacker is willing to wait.

Data sensitivity is more structural, but the response to it isn't. Healthcare, finance, legal, and any organization holding personal information at scale lives at high regulatory exposure by default. The question for those organizations isn't whether they're exposed but whether they've matured the program to absorb the exposure: whether breach notification procedures are pre-rehearsed under provincial health privacy acts, federal PIPEDA, and Quebec's Law 25; whether legal counsel and forensics retainers are pre-negotiated and on speed dial; whether incident response is genuinely drilled rather than a binder on a shelf.

These are not exotic capabilities. They're the difference between an organization that ends up looking like Indigo, painfully but successfully refusing payment, and one that ends up in CIRA's 74%, paying because there's no realistic alternative.

The full cost stack

The disclosed dollar costs in any breach case are the visible top of a much larger stack. A more complete view explains why we'd just pay if it happens is a dangerous strategy regardless of the ransom amount.

That's not an argument for paying. It's an argument that the size of the ransom is rarely the right metric to optimize the program around.

Move from the CIRA cohort to the StatCan cohort

The organizations that end up paying ransoms aren't the ones that are unlucky. They're the ones that arrived at the moment of decision without the optionality to refuse. The work of building that optionality, immutable backups verified by exercise, regulatory clocks pre-mapped, breach counsel on retainer, runbooks rehearsed quarterly, is the work of an effective security program. That work is what moves an organization from the cohort that pays to the cohort that doesn't, regardless of which survey it ends up in.

Truvo Cyber works with Canadian companies on exactly this transition. If your team is reviewing your ransomware posture and isn't sure whether you'd be in the 88% or the 74% if it happened tomorrow, that question itself is the start of useful work. Our SOC 2 readiness assessment and CPCSC Level 1 readiness scorecard are two common entry points; the ISO 27001 readiness scorecard is another. Each is a structured way to surface where your backup posture, evidence trail, and incident response actually sit relative to where they need to be.

Frequently asked questions

Why do StatCan and CIRA report such different ransomware payment rates?

Both numbers are correct. They sample different populations. Statistics Canada's 2023 cycle of the Canadian Survey of Cyber Security and Cybercrime drew from 12,462 enterprises with 10 or more employees across nearly every sector except public administration, and reported that 88% of ransomware victims did not pay. The CIRA 2025 Cybersecurity Survey was fielded by Strategic Counsel in August 2025 to roughly 500 cybersecurity decision-makers, and reported that 74% of victims paid. The first measures the broad Canadian economy. The second measures organizations mature enough to staff a named cybersecurity decision-maker. The same threat lands very differently on those two populations, which is why the headline rates diverge by 62 percentage points.

Should we plan to pay or plan to refuse?

Plan to refuse, and build the operational posture that makes refusal viable. The decision to pay is rarely made in the heat of an incident on its merits. It is largely determined upstream by backup posture, data sensitivity, and regulatory exposure. Organizations with immutable backups verified by recent restore exercises, pre-mapped breach notification clocks under PIPEDA, PHIPA, or Quebec's Law 25, and pre-negotiated breach counsel and forensics retainers retain the optionality to refuse. Organizations without those capabilities arrive at the table with no realistic alternative. The CIRA cohort shows what happens when mature programs face attackers holding exfiltrated data: 74% pay, because the cost of refusing has been allowed to exceed the ransom. The work is to keep refusal cheaper than payment.

Is paying the ransom illegal in Canada?

Paying a ransom is not, on its own, illegal in Canada. There is no Canadian statute that bans ransom payments outright. The risk sits in adjacent obligations. Payments to entities sanctioned under Canada's Special Economic Measures Act or Justice for Victims of Corrupt Foreign Officials Act can expose payers to sanctions liability, and several prominent ransomware groups operate from sanctioned jurisdictions. Beyond sanctions, an exfiltration incident triggers breach notification obligations under PIPEDA, provincial health privacy acts such as Ontario's PHIPA, and Quebec's Law 25, regardless of whether a ransom is paid. Counsel should review every payment decision against current sanctions designations before funds move. The legal question is not whether you can pay, it is whether this particular payment is clean.

What does an immutable backup actually require?

Immutability is not a checkbox on a backup product. It means the backup cannot be modified or deleted by any account that ransomware could compromise, including domain admin and the backup service account itself. In practice that requires storage with object lock or write-once-read-many semantics, retention locks measured in weeks not hours, network or identity isolation from the production Active Directory or identity provider, and a periodic restore exercise that proves the backups are usable inside a realistic recovery time objective. The Statistics Canada release shows non-payment is the modal outcome economy-wide, but most organizations that pay have backups, just not backups they can confidently restore from inside the attacker's window. The exercise is what closes that gap.

How much does a Canadian breach typically cost beyond the ransom?

Substantially more than the ransom in almost every public case. The Desjardins class action settlement approved by the Quebec Superior Court on June 14, 2022 came in at $200.85 million for the 2017 to 2019 insider data theft affecting roughly 9.7 million Canadians. The LifeLabs settlement approved by the Ontario Superior Court of Justice on October 25, 2023 came in at $9.8 million covering 8.6 million affected Canadians. Indigo refused payment in February 2023 and disclosed roughly $5.2 million in direct response costs by April 2023, plus a $26.5 million Q4 revenue decline and $49.6 million annual net loss attributable to the attack. The ransom, when paid, sits below class action exposure, regulatory investigation, lost business, and recovery operations on the cost stack.

Where should a CTO start if they want to move out of the high-payment-pressure quadrant?

Start by getting honest about the two upstream variables that decide the outcome: backup posture and regulatory exposure. Ask three questions. First, when was the last time we performed a full restore from immutable backups under a ransomware-style scenario, and what was the actual recovery time, not the policy figure. Second, do we know which provincial and federal breach notification clocks start running the moment exfiltration is suspected, and is counsel pre-engaged. Third, is incident response genuinely drilled, or is it a binder. A structured readiness assessment is usually the fastest way to surface where the gaps actually are. Truvo's SOC 2 readiness assessment, CPCSC Level 1 readiness scorecard, and ISO 27001 readiness scorecard are common entry points for that work.

Sources and methodology

This article relies on three primary data sources, all cited inline.

Statistics Canada, Canadian Survey of Cyber Security and Cybercrime, 2023 cycle. Released in The Daily on October 21, 2024. Final sample of 12,462 enterprises, response rate 71%, frame of enterprises with 10 or more employees across all sectors except public administration. Used for the 88% non-payment figure, the payment-band breakdown among payers (84% under $10,000, approximately 12% in the middle band, 4% over $500,000), and the recovery spending figures of $1.2 billion in 2023 and $600 million in 2021.

CIRA 2025 Cybersecurity Survey. Fielded by Strategic Counsel in August 2025 to approximately 500 cybersecurity decision-makers across Canada. Full report on cira.ca. Used for the 74% payment rate among victims, the 74% data exfiltration rate, and the payment-band distribution showing $25,000 to $50,000 as the modal band at 28% of payers and 15% of payers paying $100,000 or more.

Public Canadian breach cases. Quebec Superior Court approval of the Lambert v. Desjardins settlement, June 14, 2022. Ontario Superior Court of Justice approval of the LifeLabs settlement, October 25, 2023. Disclosed ransomware recovery costs from the October 2023 attack on five Ontario hospitals and a clinic via TransForm Shared Service Organization. Indigo Q4 FY23 and full-year FY23 financial disclosures for the February 2023 attack.

A note on the StatCan payment-band figures: Statistics Canada publishes the breakdown as a share of payers (84%, approximately 12%, 4%). This article re-expresses those figures as a share of all victims (~10%, ~1.5%, ~0.5%) by multiplying through the 12% payment rate. The arithmetic is consistent but is a derived presentation of the underlying data, not a directly quoted figure. Readers may prefer StatCan's original framing.