The Canadian Centre for Cyber Security (Cyber Centre, part of the Communications Security Establishment) and its global partners are warning Canadians about LockBit, one of the most widely deployed ransomware variants currently in use.
CSE joined Five Eyes partners - Australia, New Zealand, the United Kingdom and the United States – as well as international partners Germany and France, in issuing a Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents. This advisory will help network defenders proactively improve their organization’s defences against this ransomware operation.
In 2022, LockBit was the most deployed ransomware variant across the world continues to be prolific into 2023. The LockBit ransomware operation functions as an affiliate-based Ransomware-as-a-Service (RaaS) model, meaning threat actors or affiliates, regardless of their skills, can purchase malware from developers on the dark web. The developers then receive a portion of the ransom paid by the victim. In this case, affiliates are recruited to conduct attacks using LockBit ransomware tools and infrastructure.
Since January 2020, LockBit affiliates have attacked organizations of varying sizes across a wide array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. Due to the large number of disparate, unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This presents a notable challenge for organizations working to maintain network security and protect against the ransomware threat.
The Cyber Centre and its partners encourage organizations to implement the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents. Organizations are also encouraged to review the Cyber Centre’s Ransomware Playbook for advice and guidance on preventing and responding to ransomware incidents.
Canadians can be assured that CSE works closely with Five Eyes and critical infrastructure partners to share information and help keep Canadians safe online.