Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada

Canada's cyber intelligence agency says Lockbit — a prolific ransomware group with links to Russia — was responsible for 22 per cent of attributed ransomware incidents in Canada last year and will pose an "enduring threat" to Canadian organizations this year.  

LockBit was responsible for 22 per cent of attributed ransomware incidents in Canada, says CSE

A health-care worker treats a patient in the emergency department at Toronto’s Hospital for Sick Children. The hospital was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems. (Chris Young/The Canadian Press)

Canada's cyber intelligence agency says LockBit — a prolific ransomware group with links to Russia — was responsible for 22 per cent of attributed ransomware incidents in Canada last year and will pose an "enduring threat" to Canadian organizations this year.

On Thursday, the Communications Security Establishment said it sent a threat report to Canadian organizations warning about LockBit and its affiliates.

CSE describes LockBit as a group of "financially-motivated, Russian-speaking" cybercriminals "very likely based in a Commonwealth of Independent States country" — an assembly of countries that once were part of the Soviet Union. 

"The Cyber Centre assesses that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023," said CSE spokesperson Evan Koronewski.

"In 2022, LockBit was responsible for 22 per cent of attributed ransomware incidents in Canada and an estimated 44 per cent of global incidents."

Koronewski said LockBit selects its victims based on opportunity — and is known for hitting hospitals and transit systems. 

Toronto's Hospital for Sick Children was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems. LockBit apologized, claiming one of its "partners" was behind the hit on Canada's largest pediatric medical centre.

The Federal Bureau of Investigation in the U.S. has called LockBit "one of the most active and destructive ransomware variants in the world."

Ransomware attacks involve malicious software used to cripple a target's computer system to solicit a cash payment. 

LockBit is considered a ransomware-as-a-service group, meaning it owns a ransomware strain and sells access to it to affiliates. Groups like LockBit support the deployment of their ransomware by third parties in exchange for upfront payments, subscription fees, a cut of profits, or all three, said CSE.

In November, a dual Russian-Canadian national was charged for his alleged participation in the LockBit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ont. is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. He is fighting his extradition to the United States.

Brett Callow, a threat analyst at Emsisoft, said getting a clear picture of LockBit's reach and power is difficult.

He said statistics are often based on posting pages from the dark web where ransomware gangs list non-paying victims, and don't always indicate activity levels.

"How many ransomware attacks are there? Are the numbers trending up or down? These should be easy questions to answer but, due to a lack of solid data, they're not," he said.

"So, not only do we have an incomplete picture as to how and why attacks succeed, but it's hard for policymakers to establish whether counter-ransomware policies are working if they don't have accurate statistical data." 

CSE warned of retaliatory cyber attacks from Russia

Thursday's warning is the second in a week from CSE, at a time of heightened geopolitical tensions with Russia. 

Last week, CSE called for a "heightened state of vigilance" against the threat of retaliatory cyber attacks from Russia-aligned hackers — just hours after Ottawa promised to give Ukraine four Leopard 2 A4 main battle tanks.

That warning came as Killnet, a group Canada and its allies describe as a "Russian-aligned cybercrime group," vowed to go after countries that support Ukraine.

Reuters reported earlier this week that Killnet ran a denial-of-service (DDoS) campaign against several German websites to knock them offline Wednesday after that country announced it would be sending tanks to Ukraine.

Germany's security agency BSI said some financial sector targets were also affected but the hits had little effect.


Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Account Holder

Join the conversation  Create account

Already have an account?