Indigo Books & Music said the attack deployed LockBit, a malware that increasingly appears in digital security vulnerabilities. (photo: The Canadian Press)
TORONTO — Bookstore chain Indigo Books & Music revealed this week that a major outage has occurred in the systems it has been handling for nearly a month due to ransomware.
The retailer, which has lost access to its website and payment capabilities, said the attack deployed LockBit, malware that is increasingly appearing in digital security breaches.
What is Lockbit?
LockBit is a cyber attack kit and malware that is used to carry out criminal attacks.
The group operates as a ransomware-as-a-service company, with teams developing licensed malware for affiliate networks, which they use to carry out attacks, says Sumit Bhatia, director of innovation and policy for Rogers Cybersecure Catalyst at Toronto Metropolitan University.
The BlackBerry security software website says the LockBit malware infiltrates its targets’ networks through unpatched vulnerabilities, privileged access and zero-day attacks—flaws in the software that were discovered from before until the company that created them realized the problem, giving them “zero days” to fix it. He. She.
After that, LockBit is able to take control of the victim’s system, collect network information, and steal or encrypt data, depending on the site.
“LockBit attacks typically use a dual extortion tactic to encourage victims to pay first to restore access to their encrypted files, and then pay again to prevent their stolen data from being made public,” BlackBerry explains.
How prolific is LockBit?
LockBit has demanded at least $100 million in ransom and extracted tens of millions of dollars in victim payments, according to a court document filed in the District of New Jersey in a 2022 case against an alleged LockBit member.
LockBit came into existence as early as January 2020, and its members have since carried out at least 1,000 attacks against victims in the US and around the world, according to the document.
Who is behind LockBit?
This is a difficult question, according to Mr. Bhatia, because “these people work in the shadows.”
“But what we largely understand is that there is a strong relationship with Russia and former members of the Russian community, who may not necessarily be established outside of Russia anymore, but who can operate from a series of different locations across Europe, and form part of this huge network.” Initiated by LockBit”.
This means that LockBit members can be located anywhere in the world. In November, for example, Mikhail Vasiliev, who has dual Russian and Canadian citizenship, was indicted by the US Department of Justice for his alleged participation in the LockBit ransomware campaign.
Was the Indigo cyberattack carried out by the LockBit team or someone using LockBit software?
Indigo said its network was “accessed by (suspected) criminals who deployed the ransomware known as LockBit,” but added that it didn’t know specifically who was behind the attack.
What other places has LockBit been involved in?
The Hospital for Sick Children in Toronto was hit by a ransomware attack in December that affected its operations. LockBit claimed that one of its accomplices carried out the attack, for which the group eventually apologized, saying that the attacks on hospitals violated its rules.
Other LockBit victims include the UK’s Royal Mail, French technology group Thales and the Port Authority of Lisbon in Portugal.
What can companies do to avoid falling victim to a LockBit attack?
LockBit mainly relies on phishing attacks, says Bhatia.
Phishing usually begins with fraudulent emails or text messages intended to give the impression that they are from a reputable company. They often trick people into entering confidential information such as passwords on a fraudulent website or downloading malware onto a computer with access to the corporate network.
“Ransomware, especially through phishing, is often reduced to the human element,” says Bhatia.
This means that the best way to stop them is to make sure employees are careful and understand how to review the links and messages they receive to avoid scams.
“He really understands how to look for something that is considered fishy,” says Bhatia.
Is it a good idea to pay attackers to gain access to your system or decrypt data and files if you are attacked by ransomware?
“From a law enforcement perspective, organizations are incentivized not to pay and this is…because you’re not really sure, even after paying, that you won’t be adversely affected,” asserts Mr. Bhatia.
“You really can’t count on the commitments made by these attackers.”
He adds that the authorities also discourage paying, as it encourages criminals to continue their attacks and spreads a circle.
However, he noted that “small companies don’t always have the luxury of not paying or those that work with critical industries, where access to that data or access to those systems is critical and can have a serious negative impact.”
Indigo has refused to pay money to its attackers, who the company says planned to publish the employee data it stole on the underground web – also known as the “dark web”.
“Privacy Commissioners do not believe that paying the ransom protects those whose data has been stolen, as there is no way to ensure data is deleted/protected once the ransom is paid,” Indigo specifies on its website.
Furthermore, we cannot be sure that any ransom will not end up in the hands of terrorists or others on sanction lists.
“Food trailblazer. Passionate troublemaker. Coffee fanatic. General analyst. Certified creator. Lifelong music expert. Alcohol specialist.”