CSE and international partners publish a cyber security advisory on LockBit ransomware

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre, part of the Communications Security Establishment) and its global partners are warning Canadians about LockBit, one of the most widely deployed ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. variants currently in use.

CSE joined Five Eyes partners - Australia, New Zealand, the United Kingdom and the United States – as well as international partners Germany and France, in issuing a Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents. This advisory will help network defenders proactively improve their organization’s defences against this ransomware operation.

In 2022, LockBit was the most deployed ransomware variant across the world continues to be prolific into 2023. The LockBit ransomware operation functions as an affiliate-based Ransomware-as-a-Service (RaaS) model, meaning threat actors or affiliates, regardless of their skills, can purchase malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. from developers on the dark web. The developers then receive a portion of the ransom paid by the victim. In this case, affiliates are recruited to conduct attacks using LockBit ransomware tools and infrastructure.

Since January 2020, LockBit affiliates have attacked organizations of varying sizes across a wide array of critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. Due to the large number of disparate, unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This presents a notable challenge for organizations working to maintain network security and protect against the ransomware threat.

The Cyber Centre and its partners encourage organizations to implement the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents. Organizations are also encouraged to review the Cyber Centre’s Ransomware Playbook for advice and guidance on preventing and responding to ransomware incidents.

Canadians can be assured that CSE works closely with Five Eyes and critical infrastructure partners to share information and help keep Canadians safe online.

More information on this joint advisory.