Indigo Books & Music won’t pay the LockBit ransomware gang for data stolen last month, according to a news report.
The Globe and Mail reports that, in an internal letter emailed to staff Wednesday night, Indigo company president Andrea Limbardi said the gang may make some or all of the stolen employee data available to other crooks as soon as today.
The company’s FAQ on the Feb. 8 attack says the LockBit strain of ransomware was the malware deployed. “Although we do not know the identity of the criminals, some criminal groups using LockBit are located in or affiliated with Russian organized crime,” the website statement now says. “We are continuing to work closely with the Canadian police services and the FBI in the United States in response to the attack.”
Indigo hasn’t said how many employees are affected. It has said the names, home addresses, dates of birth, Social Insurance numbers, bank account numbers and salary deposit information are among the data now in the hands of the attackers.
Employees are being offered two years of credit monitoring and identity theft protection services at no cost.
The news service quotes Indigo spokesperson Melissa Perri saying that, because there is no assurance any ransom payment “would not end up in the hands of terrorists or others on sanctions lists”, it won’t pay any money to the attackers.
LockBit works as a ransomware-as-a-service operation, meaning affiliates do the research and initial compromise of a victim before deploying the final payload. According to researchers at BlackBerry, it was implicated in more cyberattacks in 2022 than any other ransomware.
LockBit victims pay an average ransom of approximately US$85,000, BlackBerry said, suggesting small-to-medium-sized organizations are the most targeted. However, it has also hit many big organizations, including Indigo, the California department of finance, and international consulting firm Accenture. It was also not beneath the gang to hit the Housing Authority of Los Angeles.
The latest version of the gang’s malware is LockBit 3.0, called by some researchers LockBit Black because of similarities in the code with the BlackMatter ransomware strain. According to Trend Micro, that includes harvesting APIs.
LockBit 3.0’s deletion of shadow copies is clearly lifted from BlackMatter’s code, says Trend Micro. This is performed using Windows Management Instrumentation (WMI) through COM objects, as opposed to LockBit 2.0’s use of vssadmin.exe.
Defences against ransomware are the same as for any cyber attack:
- follow the 3-2-1 rule for backups: Back up files in three copies in two different formats, with one copy stored off-site;
- educate staff to watch for suspicious email, text and voice messages aimed at tricking them into clicking on links that lead to the downloading of malware;
- keep applications and programs up to date with the latest versions and security patches.