World

LockBit digital gang named top ransomware threat by Canada and other nations

The United States, Canada and five other countries on Wednesday identified the digital extortion gang operating under the "LockBit" banner as the world's top ransomware threat.

Type of malware takes over a network or computer to extort money

A man sits in the dark working on a computer.
The Canadian Centre for Cyber Security, part of the federal government's Communications Security Establishment agency, says ransomware is a 'serious and evolving threat to Canadians.' Cyber authorities in five countries said Wednesday that a digital extortion gang operating under the 'LockBit' banner is the world's top ransomware threat. (Shutterstock)

The United States, Canada and five other countries on Wednesday identified the digital extortion gang operating under the "LockBit" banner as the world's top ransomware threat.

In a joint advisory, U.S., Canadian, British, French, German, Australian and New Zealand cyber authorities said LockBit's extortion software, used to scramble victims' data until a ransom is paid, was the most broadly used by cybercriminals.

"In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023," the advisory said, adding that the gang and its affiliates "have negatively impacted organizations, both large and small, across the world."

Ransomware is a form of malicious software or malware used by hackers to take control of a victim's computer or network and then demand payment in exchange for decryption.

It was first seen as early as 1989 and has become the most common cyber threat Canadians face, according to the Canadian Centre for Cyber Security.

The agency estimates that worldwide ransomware attacks increased by 151 per cent in the first half of 2021 when compared to the same period the year before.

The business around ransomware has become increasingly sophisticated. LockBit is one of several groups that uses an affiliate model, effectively letting other cybercriminals use its code and infrastructure in return for a cut of the profits.

According to the advisory, the first observed activity of the predecessor to LockBit was in September 2019, and that LockBit-named ransomware was first seen on Russian-language-based cybercrime forums.

The advisory only cited hard figures from three countries, with 1,700, LockBit-related incidents reported or confirmed in the United States, 69 in France and 15 in New Zealand.

But LockBit accounts for a big chunk of the ransomware incidents tracked by all seven governments, according to the advisory, which said the agencies involved attributed somewhere between 11 per cent to 23 per cent of all recent ransom-seeking hacks to the group.

WATCH | Ransomware attacks come with hefty price tag:

The rising cost of a ransomware attack

4 years ago
Duration 2:09
Organizations hit by a ransomware attack face a plethora of encrypted data and a hefty price tag to retrieve it. And many find that whether they pay the ransom or not, the attacks are extremely costly.

Figures cited 'likely significantly understated' 

German and Australian officials did not immediately return messages seeking further details and figures. British authorities declined to comment.

"Generally, we do not comment on specific cyber security incidents, nor do share statistics on events," Robyn Hawco, media spokesperson for the Communications Security Establishment, the Canadian government's national cryptologic agency, told CBC News on Wednesday.

It makes sense to describe LockBit as a top ransomware actor, said Brett Callow, an analyst with cybersecurity company Emsisoft. He said the figures cited in the advisory were "likely significantly understated."

Callow added that the global co-operation that went into the advisory was an encouraging sign.

"I don't recall so many agencies collaborating on an advisory before," he said. "It's great to see."

With files from CBC News