Ransomware Attack on Provencher Roy by BlackBasta

Incident Date:

May 20, 2024

World map



Ransomware Attack on Provencher Roy by BlackBasta


Provencher Roy




Montréal, Canada

, Canada

First Reported

May 20, 2024

Ransomware Attack on Provencher Roy by BlackBasta

Victim Overview

Provencher Roy, a prominent Canadian architecture and design firm, recently experienced a ransomware attack orchestrated by the cybercrime group BlackBasta. The company, founded in 1983 by Claude Provencher and Michel Roy, specializes in innovative and sustainable architectural solutions for various projects in the commercial, residential, cultural, and institutional sectors. Provencher Roy is known for its transdisciplinary approach, focusing on sustainability and radical reuse of existing structures.

Company Size and Standout

With a total of thirty-three partners as of March 2022, Provencher Roy has grown significantly over the years. The firm has received numerous awards, including the Royal Architectural Institute of Canada Architectural Firm of the Year Award and the Governor General's Medals in Architecture. Their expertise in sustainable development and diverse services contribute to their financial success and industry recognition.

Attack Overview

During the ransomware attack on Provencher Roy, BlackBasta infiltrated the company's systems and exfiltrated 3 terabytes of data. The stolen information includes sensitive project details, CAD drawings, 3D models, corporate data, and personal employee documents. This breach poses a significant threat to the company's operations and data security.

Ransomware Group BlackBasta

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group targets organizations in various countries, employing highly targeted attacks and utilizing double extortion tactics. BlackBasta has been linked to significant cyber incidents, impacting critical infrastructure sectors and causing financial losses to victim organizations.

Penetration and Vulnerabilities

BlackBasta likely gained access to Provencher Roy's network through spear-phishing campaigns, insider information, or by purchasing network access. Once inside the system, the group used tools like QakBot and Mimikatz to move laterally, harvest credentials, and maintain control over compromised systems. The attack highlights the vulnerabilities in Provencher Roy's cybersecurity defenses and the importance of robust security measures to prevent future breaches.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.