Indigo refuses to pay ransom to LockBit gang

Indigo Books & Music won’t pay the LockBit ransomware gang for data stolen last month, according to a news report.

The Globe and Mail reports that, in an internal letter emailed to staff Wednesday night, Indigo company president Andrea Limbardi said the gang may make some or all of the stolen employee data available to other crooks as soon as today.

The company’s FAQ on the Feb. 8 attack says the LockBit strain of ransomware was the malware deployed. “Although we do not know the identity of the criminals, some criminal groups using LockBit are located in or affiliated with Russian organized crime,” the website statement now says. “We are continuing to work closely with the Canadian police services and the FBI in the United States in response to the attack.”

Indigo hasn’t said how many employees are affected. It has said the names, home addresses, dates of birth, Social Insurance numbers, bank account numbers and salary deposit information are among the data now in the hands of the attackers.

Employees are being offered two years of credit monitoring and identity theft protection services at no cost.

The news service quotes Indigo spokesperson Melissa Perri saying that, because there is no assurance any ransom payment “would not end up in the hands of terrorists or others on sanctions lists”, it won’t pay any money to the attackers.

LockBit works as a ransomware-as-a-service operation, meaning affiliates do the research and initial compromise of a victim before deploying the final payload. According to researchers at BlackBerry, it was implicated in more cyberattacks in 2022 than any other ransomware.

LockBit victims pay an average ransom of approximately US$85,000, BlackBerry said, suggesting small-to-medium-sized organizations are the most targeted. However, it has also hit many big organizations, including Indigo, the California department of finance, and international consulting firm Accenture. It was also not beneath the gang to hit the Housing Authority of Los Angeles. 

The latest version of the gang’s malware is LockBit 3.0, called by some researchers LockBit Black because of similarities in the code with the BlackMatter ransomware strain. According to Trend Micro, that includes harvesting APIs.

LockBit 3.0’s deletion of shadow copies is clearly lifted from BlackMatter’s code, says Trend Micro. This is performed using Windows Management Instrumentation (WMI) through COM objects, as opposed to LockBit 2.0’s use of vssadmin.exe.

Defences against ransomware are the same as for any cyber attack:

  • follow the 3-2-1 rule for backups: Back up files in three copies in two different formats, with one copy stored off-site;
  • educate staff to watch for suspicious email, text and voice messages aimed at tricking them into clicking on links that lead to the downloading of malware;
  • keep applications and programs up to date with the latest versions and security patches.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs