LockBit keeps attacking Canadian companies

Whether you run a drugstore chain or mow lawns, the world’s most prolific ransomware group has its eyes on you.

What happened: The LockBit ransomware group released files stolen from pharmacy chain London Drugs after it refused to pay a $25 million ransom. The files, which may contain employee data, were stolen in a recent cyberattack that closed all 79 of the drugstore’s locations for over a week.

  • LockBit’s demand disappeared and reappeared from its website, which could indicate that London Drugs tried to negotiate or buy some time.

Catch-up: LockBit has been credited with over 2,000 attacks and extorting US$120 million in payments since appearing in 2019. The playbook is often the same: Get into a computer system, encrypt some files, and demand money to unlock them and stop their sale on the dark web.

  • There isn’t a ton of hacking involved. LockBit buys stolen logins for remote access software, exploits security issues in out-of-date systems, sends phishing emails, or just guesses weak passwords.
  • LockBit was behind 22% of Canadian ransomware attacks in 2022, with victims ranging from SickKids Hospital to the town of St. Marys, Ontario. Since then, it has also hit Indigo, Toronto Public Library, and Weather Network owner Pelmorex.
  • In February, a multicountry operation that took down LockBit’s servers and dark web sites, but the group was back online days later.

Yes, but: Despite its high-profile hacks, most of LockBit’s victims are smaller organizations, with an average ransom of US$85,000. Eight small Canadian companies have been hit just since the February take-down, based on tracking by threat intelligence platform FalconFeeds. They’ve included a law firm, insurance broker, landscaping company, and casket-maker.

Bottom line: LockBit strikes based on opportunity, and small organizations offer low-hanging fruit. And regardless of a ransom, the business disruption and work to restore compromised systems can add up. St. Marys paid a C$290,000 ransom to LockBit, but the total cost of the attacks reached C$1.3 million.