Intelligence agency says ransomware group with Russian ties poses ‘an enduring threat’ to Canada
Canada’s cyber intelligence agency says LockBit – a prolific ransomware group with ties to Russia – was responsible for 22 percent of attributed ransomware incidents in Canada last year and will pose a “permanent threat” to Canadian organizations this year.
On Thursday, the Communications Security Establishment announced that it had sent a threat report to Canadian organizations warning about LockBit and its affiliates.
CSE describes LockBit as a group of “financially motivated, Russian-speaking” cybercriminals who are “most likely based in a country in the Commonwealth of Independent States” – a collection of countries that were once part of the Soviet Union.
“The Cyber Center believes that LockBit will almost certainly remain a persistent threat to both Canadian and international organizations through 2023,” said CSE spokesman Evan Koronewski.
According to the CSE, LockBit was also responsible for an estimated 44 percent of global ransomware incidents last year.
Koronewski said LockBit selects its victims by opportunity – and is known for hitting hospitals and transit systems.
Toronto’s Hospital for Sick Children was hit by a ransomware attack in late December, delaying lab results and crippling its phone systems. LockBit apologized and claimed that one of its “partners” was behind the attack on Canada’s largest pediatric medical center.
The US Federal Bureau of Investigation has called LockBit “one of the most active and destructive ransomware variants in the world”.
Ransomware attacks involve malicious software used to cripple a target’s computer system in order to solicit cash payment.
LockBit is considered a ransomware-as-a-service group, meaning it owns a strain of ransomware and sells access to it to affiliates. Groups like LockBit support third-party deployments of their ransomware in exchange for upfront payments, subscription fees, profit-cutting, or all three, the CSE said.
In November, a Russian-Canadian citizen was indicted for allegedly participating in the global LockBit ransomware campaign. Mikhail Vasiliev, 33, from Bradford, Ontario. is charged with conspiracy to intentionally damage protected computers and transmit ransom demands. He is fighting extradition to the United States.
CSE warned of cyber retaliation attacks from Russia
Thursday’s warning is CSE’s second in a week at a time of heightened geopolitical tensions with Russia.
Last week, CSE called for “increased vigilance” against the threat of cyber retaliation from hackers allied with Russia — just hours after Ottawa vowed to give Ukraine four Leopard 2 A4 main battle tanks.
That warning came as Killnet, a group that Canada and its allies describe as a “Russian-aligned cybercrime group,” vowed to go after countries that support Ukraine.
Reuters reported earlier this week that Killnet ran a denial of service (DDoS) campaign against several German websites, only to take them offline on Wednesday after that country announced it was sending tanks to Ukraine.
Germany’s BSI security agency said some financial sector targets were also affected, but the hits had had little effect.
