Cyber Incident Victim: Top Aces

On or around May 11, 2022, Canadian defense contractor Top Aces confirmed it was investigating a ransomware attack after appearing on the LockBit ransomware group’s leak site. The Montreal-based company, which supplies adversary air training services to the Canadian, German, Israeli, and U.S. armed forces using privately held fighter aircraft, acknowledged the incident in a brief statement to The Record. LockBit claimed responsibility for the attack and threatened to leak 44GB of allegedly stolen data by May 15 if its demands were not met. Top Aces, founded in 2000 by former fighter pilots, held a significant U.S. Air Force contract since 2019 that included training against Russian weaponry, amplifying concerns about the sensitivity of potentially compromised data. The company did not disclose the attack’s operational impact, data exposure specifics, or initial detection methods.

LockBit, operating since September 2019, had escalated its activity following the release of its LockBit 2.0 ransomware-as-a-service platform, becoming one of the most prolific groups with approximately 650 global victims by mid-2022 according to Recorded Future. The Australian Cyber Security Centre had documented a surge in LockBit attacks months prior, and the group had recently targeted high-profile entities like Germany’s library network and Rio de Janeiro’s finance department. Emsisoft threat analyst Brett Callow highlighted risks inherent to defense sector breaches, noting historical incidents involving military contractors Visser Precision and Westech International, where stolen data could reach hostile nation-states via resale or dissemination. Top Aces did not publicly detail containment measures, recovery progress, or whether negotiations occurred with LockBit. The company’s investigation remained ongoing at the time of reporting, with no subsequent public updates confirming data leakage or resolution prior to LockBit’s May 15 deadline.