TORONTO - Indigo Books & Music Inc. revealed this week that a massive systems outage it's been dealing with for almost a month was triggered by ransomware.

The retailer, which lost access to its website and payments capabilities, said the attack deployed LockBit, a malicious software increasingly cropping up in digital security breaches.

What is LockBit?

LockBit is both a cyberattack group and a malicious software used to carry out criminal attacks.

LockBit, the group, operates as a ransomware-as-a-service business, where teams develop malware that is licensed to affiliate networks, which use it to carry out attacks, said Sumit Bhatia, the director of innovation and policy at the Rogers Cybersecure Catalyst at Toronto Metropolitan University.

Security software company BlackBerry's website says LockBit malware infiltrates its targets' networks through unpatched vulnerabilities, insider access and zero-day exploits - flaws in software discovered before the company which created it realizes the problem, giving them “zero days” to fix it.

LockBit is then able to establish control of a victim's system, collect network information and steal or encrypt data, the site said.

“LockBit attacks typically employ a double extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and then to pay again to prevent their stolen data from being posted publicly,” BlackBerry said.

How prolific is LockBit?

LockBit has made at least $100 million in ransom demands and extracted tens of millions of dollars in payments from victims, said a court document filed in the District of New Jersey in a 2022 case against a suspected LockBit member.

LockBit emerged as early as January 2020 and members have since executed at least 1,000 LockBit attacks against victims in the U.S. and around the world, the document alleged.

Who is behind LockBit?

That's a tricky question, said Bhatia, because “these folks operate in such shadows.”

“But what we understand largely is that there's a deep connection to Russia and to former members of the Russian community, who may not necessarily be based out of Russia anymore, but could be operating from a series of different locations across Europe, and form a part of this large network that LockBit has launched,” he added.

That means LockBit members could be located anywhere in the world. In November, for example, the U.S. Department of Justice charged dual Russian and Canadian citizen Mikhail Vasiliev in connection with his alleged participation in a LockBit ransomware campaign.

Was Indigo's cyberattack carried out by the LockBit gang or someone using LockBit software?

Indigo has said its network was “accessed by (alleged) criminals who deployed ransomware software known as LockBit,” but added it does not know specifically who is behind the attack.

Where else has LockBit been involved?

Toronto's Hospital for Sick Children experienced a ransomware attack in December that affected operations. LockBit claimed one of its partners carried out the attack, which the group eventually apologized for, saying attacks on hospitals violate its rules.

LockBit's other victims include the U.K.'s Royal Mail, French technology group Thales and the Lisbon Port Authority in Portugal.

What can companies do to avoid being a victim to a LockBit attack?

LockBit relies primarily on phishing attacks, said Bhatia.

Phishing generally starts with fraudulent emails or text messages meant to look like they've been sent by a trustworthy company. They often dupe people into entering confidential information such as passwords into a fraudulent website or downloading malware onto a computer with access to a company's network.

“Ransomware, especially through phishing, does often come down to the human element,” said Bhatia.

That means the best way to stop it is to ensure that staff are cautious and understand how to review links and messages they get to avoid scams.

“It's really understanding how to be on the lookout for something that is seen as suspicious,” Bhatia said.

Is it a good idea to pay attackers to access your system or decrypt data and files if you're attacked with ransomware?

“From a law enforcement perspective, organizations are encouraged not to pay and that's ... because you're not really guaranteed, even after paying that you're not going to be affected adversely,” Bhatia said.

“You can't really rely on the commitments being made by these attackers.”

Authorities also discourage paying because it encourages criminals to continue their attacks and propagates a cycle, he said.

However, he noted “small businesses don't always have the luxury of not paying or those that are working with critical sectors, where access to that data or access to those systems is critical and can have a severe adverse effect.”

Indigo has refused to pay its attackers, who the company said planned to post on the dark web the employee data it stole.

“The privacy commissioners do not believe that paying a ransom protects those whose data has been stolen, as there is no way to guarantee the deletion/protection of the data once the ransom is paid,” Indigo said on its website.

“Additionally, we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.”

This report by The Canadian Press was first published March 3, 2023.