The LockBit gang have been really busy so far this year, launching multiple attacks against targets all across the globe.
Canadian books & music retailer – Indigo are another company to fall foul of LockBit’s ransomware campaign.
In February, the LockBit gang managed to infiltrate the Indigo network and exfiltrate a host of private data relating to staff at the company.
An internal letter distributed to Indigo staff on Wednesday states that:
“We have been informed that the criminals responsible for this attack intend to make some or all of the data they have stolen available using the dark web as early as tomorrow”.
The data which has been stolen includes home addresses, postal codes, social insurance numbers, birth dates, direct deposit information, bank account numbers, names, e-mail addresses and phone numbers of Indigo staff.
Indigo’s e-commerce site first went offline on February the 8th in the ransomware attack which forced the company to launch a temporary home for their webstore.
Upon visiting the store, visitors are greeted by a message about the attack and an update page which explains the events which took place and what the company is doing to resolve the issues.
The attack also impacted many of the retailers physical stores as well in that some stores couldn’t carry out any PoS transactions (Point of Sales) for a while. This forced the retailer to change its in-store payment technology in order to resume accepting debit and credit card payments as well as gift cards. The company is still struggling to bring the original systems back on line almost 4 weeks later.
Indigo are currently working with Canadian law enforcement as well as the United States FBI and have issued a statement that they will not pay any ransom as “…we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists”
The sanctions referred to are those in place upon Russian individuals and entities.
Since the Russian invasion of Ukraine, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has issued further sanctions on Russian individuals and organizations. Anyone who pays or facilitates a payment to a sanctioned individual or organization – without first seeking U.S. government approval, which would not necessarily be granted – may face financial or criminal penalties.
Blockchain analysis firm Chainalysis says $400 million in known ransom payments flowed to Russia in 2021, comprising 74% of all known ransomware revenue. In a 2022 report, Chainalysis said that this figure dropped by 46% in 2022.
Not the first Canadian target
Indigo is not the first target in Canada for Lockbit’s ransomware attacks, The notorious group is believed to be responsible for at least 22 per cent of all attributed ransomware attacks in Canada last year, according to Canada’s cyber intelligence agency, the Communications Security Establishment.
One high-profile attack attributed to LockBit was one launched against the Hospital for sick children in Toronto.
This attack took place on December 18th 2022 and affected several network systems and forced the hospital to declare a Code Grey – infrastructure failure status.
Hospital emergency codes
Hospitals across the world have various emergency codes which, when activated, cause various of policies and procedures to come into play. Different countries, and in some cases different regions within a country have slightly different meanings behind their codes.
In the case of the SickKids hospital, being in Toronto they follow the codes applicable to hospitals in Ontario which states the following codes:
- Code amber: missing child/child abduction
- Code aqua: flood
- Code black: bomb threat/suspicious object
- Code blue: cardiac arrest/medical emergency – adult
- Code brown: in-facility hazardous spill
- Code green: evacuation (precautionary)
- Code green stat: evacuation (crisis)
- Code grey: infrastructure loss or failure
- Code grey button-down: external air exclusion
- Code orange: disaster
- Code orange CBRN: CBRN (chemical, biological, radiological, and nuclear) disaster
- Code pink: cardiac arrest/medical emergency – infant/child
- Code purple: hostage taking/gang activity
- Code red: fire
- Code silver: gun threat/shooter
- Code white: violent/behavioural situation
- Code yellow: missing person
Apology issued
In a rare move, the LockBit gang issued an apology to SickKids and gave them the decryptor key for free. This enabled the hospital to recover their systems quite quickly and resume normal activities.
It appears that this gang has some remaining morals.