London Drugs has confirmed that the cybersecurity breach that forced it to close stores across Western Canada for more than a week was a ransomware attack.
In a statement, the company said there remained no indication that customer or “primary employee” data was accessed. But it confirmed that the attackers were able to steal files from its corporate head office, some of which may include employee information.
“London Drugs is unwilling and unable to pay ransom to these cybercriminals,” the company said.
“London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted.”
The attackers are seeking a ransom of $25 million and threatening to post the stolen data on the dark web, according to threat analyst Brett Callow, with New Zealand-based cybersecurity company Emsisoft.
Callow said notorious ransomware operation LockBit has claimed responsibility on its dark web extortion website.
Get daily National news
LockBit has claimed London Drugs offered to pay $8 million but says it will release the stolen data if it isn’t paid the full amount within 48 hours, according to its post. London Drugs is not confirming any details about the ransom demands.
“LockBit has been one of the most prolific ransomware operations since 2019. They have launched successful attacks against thousands of organizations,” Callow said.
“They are known to have reaped more than $100 million in ransom demands.”
Callow said the U.K. National Crime Agency, working with international law enforcement, successfully disrupted LockBit in February.
That operation led to the arrest of two people in Poland and Ukraine and the seizure of 200 cryptocurrency accounts.
U.K. officials also unmasked the organization’s kingpin as Russian national Dmitry Khoroshev. who is now the subject of a $10 million reward posted by U.S. authorities.
“That acted as a speedbump for sure, but they do seem to still be active,” he said, adding that extraditing Khoroshev from Russia is essentially impossible.
Callow said London Drugs was likely not unique as a target, explaining that ransomware attacks are “low effort” and deployed against numerous targets who the attackers believe may be able to pay.
The cyber racket is believed to have cost businesses as much as $1 billion last year alone, he said.
“The absolute best path is the one that London Drugs has taken, to refuse to pay,” he said.
“These people are untrustworthy bad faith actors, there is no guarantee that paying the demand will result in you either getting a key to decrypt your data or that whatever data was stolen will be deleted.”
London Drugs reopened its 79 stores across Western Canada on May 7, after painstakingly rebuilding systems targeted in the April 28 attack.
The company said Tuesday it was not able to provide specifics on the nature or extent of potentially affected employee personal information.
“Our review is underway, but due to and the extent of system damage caused by this cyber incident, we expect this review will take some time to perform,” it said.
It said it has proactively notified all current employees and is offering 24 months of credit monitoring and identity theft protection services.
The company added it will directly contact affected employees to notify them if any personal information was compromised.
Editor’s note: This is a corrected story. A previous version incorrectly reported Brett Callow’s title and Emsisoft’s location.
Comments