CIRO issues cybersecurity playbook as ransomware gang is disrupted

Canada has participated in international law enforcement action against LockBit

CIRO issues cybersecurity playbook as ransomware gang is disrupted
Steve Randall

The issuance of a new ransomware playbook by the Canadian Investment Regulatory Organization (CIRO) has coincided with a high-profile reminder of the dangers of cybercrime.

With cybercrime increasing in Canada’s banking sector and across industries globally, Canadian law enforcement has participated in an international operation, which also involved the FBI and EuroPol, led by the UK’s National Crime Agency which has taken control of significant capabilities of LockBit, a group which offers ‘ransomware-as-a-service’ to hackers.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said National Crime Agency Director General, Graeme Biggar. “As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

The FBI says that the group has targeted over 2,000 victims, received more than $120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars.

With the chance that the crime group will rebuild, the scale of its infrastructure and network highlights the importance of strong cyber defences, especially for high-risk industries such as financial services. The world’s largest bank by assets globally was targeted by LockBit in November 2023.

CIRO guidance

CIRO’s new Ransomware Response Playbook details high-level steps that a member firm needs to take to ensure a timely, coordinated, and effective response to a ransomware attack. It points out that “cyber incidents are becoming increasingly prevalent and pose an existential threat” to the industry.

With growing sophistication and volume of attacks, the regulator has also published a Cybersecurity – Ransomware Notice which lists some basic steps for firms to respond to attacks. It highlights the most common ways that criminals initiate ransomware attacks:

  1. Phishing attacks, i.e. malicious links or attachments sent through emails, text messaging and other communication technology, is the most common threat vector
  2. “Drive-by downloads” which occur when an individual clicks on a compromised website or on a malicious advertisement on a legitimate website (i.e. malvertising)
  3. Stolen credentials, which are available on the dark web from a previous exposure or attack
  4. Brute-force entry into vulnerable web networks and servers 

The guidance has been published following two cybersecurity table-top exercises in 2023 for small and medium-sized CIRO member firms.

LATEST NEWS