Behind the software used to lock down Indigo and SickKids
Indigo Books & Music Inc. revealed this week that a massive systems outage it’s been dealing with for almost a month was triggered by ransomware.
The retailer, which lost access to its website and payments capabilities, said the attack deployed LockBit, a malicious software increasingly cropping up in digital security breaches.
What is LockBit?
LockBit is both a cyberattack group and a malicious software used to carry out criminal attacks.
LockBit, the group, operates as a ransomware-as-a-service business, where teams develop malware that is licensed to affiliate networks, which use it to carry out attacks, said Sumit Bhatia, the director of innovation and policy at the Rogers Cybersecure Catalyst at Toronto Metropolitan University.
Security software company BlackBerry’s website says LockBit malware infiltrates its target networks through unpatched vulnerabilities, insider access and zero-day exploits — flaws in software discovered before the company which created it realizes the problem, giving them “zero days” to fix it.
LockBit is then able to establish control of a victim’s system, collect network information and steal or encrypt data, the site said.
“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” BlackBerry said.
How prolific is LockBit?
LockBit has made at least $100 million in ransom demands and extracted tens of millions of dollars in payments from victims, said a court document filed in the District of New Jersey in a 2022 case against a suspected LockBit member. LockBit emerged as early as January 2020 and members have since executed at least 1,000 attacks against victims in the U.S. and around the world, the document alleged.
Who is behind LockBit?
That’s a tricky question, said Bhatia, because “these folks operate in such shadows.”
“But what we understand largely is that there’s a deep connection to Russia and to former members of the Russian community, who may not necessarily be based out of Russia anymore, but could be operating from a series of different locations across Europe, and form a part of this large network that LockBit has launched,” he added.
That means LockBit members could be located anywhere in the world. In November, for example, the U.S. Department of Justice charged dual Russian and Canadian citizen Mikhail Vasiliev in connection with his alleged participation in a ransomware campaign.
Where else has it been involved?
Toronto’s Hospital for Sick Children experienced a ransomware attack in December that affected operations. LockBit claimed one of its partners carried out the attack, which the group eventually apologized for, saying attacks on hospitals violate its rules.
LockBit’s other victims include the U.K.’s Royal Mail, French technology group Thales and the Lisbon Port Authority in Portugal.
What can companies do to avoid being a victim to a LockBit attack?
LockBit relies primarily on phishing attacks, said Bhatia.
Phishing starts with fraudulent emails or text messages meant to look like they’ve been sent by a trustworthy company. They often dupe people into entering confidential information such as passwords into a fraudulent website or downloading malware onto a computer with access to a network.
“Ransomware, especially through phishing, does often come down to the human element,” said Bhatia.
That means the best way to stop it is to ensure that staff are cautious and understand how to review links and messages they get to avoid scams. “It’s really understanding how to be on the lookout for something that is seen as suspicious,” Bhatia said.