Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada

Canada's cyber intelligence agency says LockBit a prolific ransomware group with links to Russia was responsible for 22 per cent of attributed ransomware incidents in Canada last year and will pose an "enduring threat" to Canadian organizations this year.

On Thursday, the Communications Security Establishment said it sent a threat report to Canadian organizations warning about LockBit and its affiliates.

CSE describesLockBit as a group of"financially-motivated, Russian-speaking" cybercriminals "very likely based in a Commonwealth of Independent States country"an assemblyof countries that once were part of the Soviet Union.

"The Cyber Centre assesses that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023," said CSE spokesperson Evan Koronewski.

"In 2022,LockBitwas responsible for 22 per centof attributed ransomware incidents in Canada and an estimated 44 per centof global incidents."

Koronewski said LockBit selects its victims based on opportunity and is known for hittinghospitals and transit systems.

Toronto's Hospital for Sick Children was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems.LockBit apologized, claimingone of its "partners" was behind the hit onCanada's largest pediatric medical centre.

The Federal Bureau of Investigation in the U.S. has called LockBit "one of the most active and destructive ransomware variants in the world."

Ransomware attacks involve malicious software used to cripple a target's computer system to solicit a cash payment.

LockBit is considered a ransomware-as-a-service group, meaning itowns a ransomware strain and sells access to it to affiliates. Groups like LockBit support the deployment of their ransomware by third parties in exchange for upfront payments, subscription fees, a cut of profits, or all three,said CSE.

In November, a dual Russian-Canadian national was charged for his alleged participation in the LockBit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ont. is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. He is fighting his extraditionto the United States.

Brett Callow, a threat analyst at Emsisoft,said getting a clear picture of LockBit's reach and power is difficult.

He said statistics are often based on posting pages from the dark web where ransomware gangs list non-paying victims, and don't always indicate activity levels.

"How many ransomware attacks are there? Are the numbers trending up or down? These should be easy questions to answer but, due to a lack of solid data, they're not," he said.

"So, not only do we have an incomplete picture as to how and why attacks succeed, but it's hard for policymakers to establish whether counter-ransomware policies are working if they don't have accurate statistical data."

CSEwarned ofretaliatory cyber attacks from Russia

Thursday's warning is the second in a week from CSE, at a time of heightened geopolitical tensions with Russia.

Last week, CSE called for a "heightened state of vigilance" against the threat of retaliatory cyber attacks from Russia-aligned hackers just hours after Ottawa promised to give Ukraine four Leopard 2 A4 main battle tanks.

That warning came as Killnet, a group Canada and its allies describeas a "Russian-aligned cybercrime group," vowed to go after countries that support Ukraine.

Reuters reported earlier this week that Killnet ran a denial-of-service (DDoS) campaign against several German websites to knock them offline Wednesday after that country announced it would be sending tanks to Ukraine.

Germany's security agency BSI said some financial sector targets were also affected but the hits had little effect.