The retailer, which lost access to its website and payment options, said the attack deployed LockBit malware, which is increasingly showing up in digital security breaches.
What is LockBeat?
LockBit is both a group of cyberattacks and malware that is used to carry out criminal attacks.
According to Sumit Bhatia, director of innovation and policy at Rogers Cybersecure Catalyst at Metropolitan University, the group operates as a ransomware-as-a-service company, where teams develop malware licensed to partner networks that use it to carry out attacks. Toronto.
The BlackBerry security software company’s website says LockBit malware infiltrates its targets’ networks through unpatched vulnerabilities, privileged access, and zero-day attacks — flaws in the software previously discovered while the company that created it , doesn’t recognize the problem, giving them “zero days” to fix. This.
LockBit can then take control of the victim’s system, gather network information, and steal or encrypt the data, according to the site.
“LockBit attacks typically use double extortion tactics to encourage victims to pay first to regain access to their encrypted files and then pay again to prevent their stolen data from being made public,” explains BlackBerry.
How productive is LockBit?
According to a court document filed in the District of New Jersey in a 2022 case against an alleged LockBit member, LockBit demanded a ransom of at least $100 million and received tens of millions of dollars from victims’ payments.
According to the document, LockBit appeared back in January 2020, and since then its members have carried out at least 1,000 attacks on victims in the US and around the world.
Who is behind LockBit?
According to Mr. Bhatia, this is a difficult question because “these people operate in the shadows.”
“But we are pretty much aware that there is a strong connection with Russia and former members of the Russian community who may no longer necessarily live outside of Russia, but may operate from a number of different locations across Europe and become part of this vast network. launched by LockBit,” he adds.
This means LockBit members can be anywhere in the world. For example, in November, the US Department of Justice indicted Mikhail Vasiliev, who has Russian and Canadian citizenship, for his alleged involvement in the LockBit extortion campaign.
Was the Indigo cyberattack carried out by the LockBit team, or by someone using the LockBit software?
Indigo said its network was “accessed by (suspected) criminals who deployed ransomware known as LockBit,” but added that it did not know who, specifically, was behind the attack.
What other areas has LockBit been involved in?
A hospital for sick children in Toronto suffered a ransomware attack in December that affected its operations. LockBit claimed that one of its partners carried out the attack, for which the group eventually apologized, stating that the attacks on hospitals violated its policies.
Other victims of LockBit include UK postal operator Royal Mail, French tech group Thales, and the Port Authority of Lisbon in Portugal.
What can companies do to avoid falling victim to the LockBit attack?
According to Bhatia, LockBit mainly relies on phishing attacks.
Phishing usually starts with fraudulent emails or text messages designed to give the impression that they were sent by a trusted company. They often trick people into entering sensitive information such as passwords on a fraudulent website or downloading malware onto a computer that has access to the company’s network.
“Ransomware, especially through phishing, often comes down to human error,” says Bhatia.
This means that the best way to stop this is to make sure staff are careful and understand how to review the links and messages they receive to avoid being scammed.
“It’s really understanding how to be on the lookout for what is considered suspicious,” says Bhatia.
Should you pay attackers to gain access to your system or to decrypt data and files if you are attacked by ransomware?
“From a law enforcement perspective, there is an incentive for organizations not to pay, and that’s… because you’re not really sure, even after you pay, that you won’t be affected,” Mr. Bhatia said.
“You can’t count on the commitments made by these forwards.”
Authorities also advise against paying as it encourages criminals to continue their attacks and spreads the cycle, he adds.
However, he noted that “small businesses don’t always have the luxury of not paying, or those that work with mission-critical industries where access to that data or access to those systems is critical and can have serious negative consequences.”
Indigo refused to pay the attackers, who the company said were planning to place stolen employee data on an underground network, also known as the “darknet.”
“Privacy Ombudsmen do not believe that the payment of a ransom protects those whose data has been stolen, as it is not possible to guarantee deletion/protection of data after the payment of the ransom,” Indigo stated on its website.
“In addition, we cannot be sure that any ransom will not fall into the hands of terrorists or other persons included in the sanctions lists.”