1. Home
  2. Politics
  3. Cybercrime

Intelligence agency says ransomware group with Russian ties poses ’an enduring threat’ to Canada

LockBit was responsible for 22 per cent of attributed ransomware incidents in Canada, says CSE

A healthcare worker.

A health-care worker treats a patient in the emergency department at Toronto’s Hospital for Sick Children. The hospital was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems.

Photo:  (Chris Young/The Canadian Press)


Canada's cyber intelligence agency says LockBit — a prolific ransomware group with links to Russia — was responsible for 22 per cent of attributed ransomware incidents in Canada last year and will pose an "enduring threat" to Canadian organizations this year.

On Thursday, the Communications Security Establishment said it sent a threat report to Canadian organizations warning about LockBit and its affiliates.

CSE describes LockBit as a group of financially-motivated, Russian-speaking cybercriminals very likely based in a Commonwealth of Independent States country — an assembly of countries that once were part of the Soviet Union. 

The Cyber Centre assesses that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023, said CES spokesperson Evan Koronewski.

CSE said LockBit also was responsible for an estimated 44 per cent of global ransomware incidents last year.

Koronewski said LockBit selects its victims based on opportunity — and is known for hitting hospitals and transit systems. 

Toronto's Hospital for Sick Children was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems. LockBit apologized, claiming one of its partners was behind the hit on Canada's largest pediatric medical centre.

The Federal Bureau of Investigation in the U.S. has called LockBit one of the most active and destructive ransomware variants in the world.

Ransomware attacks involve malicious software used to cripple a target's computer system to solicit a cash payment. 

LockBit is considered a ransomware-as-a-service group, meaning it owns a ransomware strain and sells access to it to affiliates. Groups like LockBit support the deployment of their ransomware by third parties in exchange for upfront payments, subscription fees, a cut of profits, or all three, said CSE.

In November, a dual Russian-Canadian national was charged for his alleged participation in the LockBit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ont. is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. He is fighting his extradition to the United States.

CSE warned of retaliatory cyber attacks from Russia

Thursday's warning is the second in a week from CSE, at a time of heightened geopolitical tensions with Russia. 

Last week, CSE called for a heightened state of vigilance against the threat of retaliatory cyber attacks from Russia-aligned hackers — just hours after Ottawa promised to give Ukraine four Leopard 2 A4 main battle tanks.

That warning came as Killnet, a group Canada and its allies describe as a "Russian-aligned cybercrime group (new window)," vowed to go after countries that support Ukraine.

Reuters reported earlier this week that Killnet ran a denial-of-service (DDoS) campaign against several German websites (new window) to knock them offline Wednesday after that country announced it would be sending tanks to Ukraine.

Germany's security agency BSI said some financial sector targets were also affected but the hits had little effect.


Catharine Tunney (new window) · CBC News · Reporter

Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca