As the town of St. Marys, Ont., coped Friday with the aftereffects of a cybersecurity incident which locked and encrypted its internal server, a notorious ransomware group threatened to release a swath of data purportedly belonging to the town onto the dark web.
St. Marys officials first became aware of the attack around 11 a.m. Wednesday, prompting staff to lock down the town’s IT systems and isolate its network to prevent any further damage, said Mayor Al Strathdee.
“Since that time, we realized that it is a malware attack. There was a message asking for ransom,” he said.
“We have engaged a team of experts to help us through this and secure our network and we have been able to resume some operations. We also have the support of the OPP and legal counsel guiding us through what to do.”
Stratford police and the Canadian Centre for Cyber Security (CCCS) have been notified about the incident, and municipal services like fire, police, transit, water and wastewater systems were not impacted and are operating as usual.
“We have the ability to use email again to communicate, so our operations from the outside, other than some access to some files, would appear to be normal. We’re very close to being able to resume almost all operations again,” Strathdee said.
In a media release Issued Friday, the town said that “cyber incident response experts” were working with St. Marys to determine the source of the incident, to backup data, and to assess any impacts on its information.
“These experts are also assisting staff as they work to fully unlock and decrypt the Town’s systems, a process that could take days,” the release read.
LockBit ransomware group involved
St. Marys spokesperson Brett O’Reilly confirmed to Global News that the incident was the result of the notorious ransomware group LockBit, which has been active since late 2019.
The group alleged Friday on its dark web portal that it had stolen 67 gigabytes worth of data belonging to St. Marys, including confidential data and financial documents.
A countdown timer on the post stated that the town had until the afternoon of July 30 to pay the ransom or the data would be published, a tactic known as double extortion.
Four screenshots are included on the post. Two claim to show sets of file trees and two claim to be of documents taken in the breach. Global News has not independently verified their authenticity and is not publishing the images.
No ransom amount was listed on LockBit’s page, and Mayor Strathdee declined to say how much was being demanded from the group. In ransomware cases, payment is often requested in the form of digital currency like Bitcoin.
To date, the town has not paid the ransom, he said. “We’re going to act on our legal advice. As well, we’re engaged with the OPP and we’re waiting to take their advice and we will follow legal advice on all steps.”
CCCS notes that payment of a ransom doesn’t guarantee access to encrypted data, or that data stolen will be deleted by the ransomware group.
“Ultimately, the decision to pay the ransom is your organization’s to make, but it is important for your organization to be fully aware of the risks associated with paying the ransom,” an unclassified “ransomware playbook” published by the agency last year states.
“For example, threat actors may use wiper malware, which alters or permanently deletes your files once you pay the ransom. Payment may also be used to fund and support other illicit activities.”
The LockBit ransomware group operates under a ransomware as a service model, meaning the people who carry out the attacks aren’t necessarily those who created the ransomware, said Brett Callow, a Vancouver Island-based threat analyst with cybersecurity firm Emsisoft.
“They effectively rent the ransomware and share a take of the proceeds with the people who created it. The people who carry out the attacks can and do work with multiple ransomware operations,” he said.
“They attempt to encrypt their target’s network and they also steal data, that way even if the target is able to restore its system from backups, it’s still got the problem of what to do about stolen data.”
It’s not clear whether the town was targeted for any particular reason. A majority of ransomware attacks are done at random via malicious links in phishing emails, compromised credentials, or unpatched vulnerabilities on internet-facing networks.
Callow described the LockBit ransomware group as being “prolific” and highly active, having carried out a “significant number” of attacks in just the last seven months on several public sector institutions south of the border.
“The University of Detroit Mercy, National College University, Mercyhurst University in Pennsylvania, Val Verde Regional Medical Centre in Texas,” Callow listed.
“The City of Plainview in Minnesota, Hercules in California, Brownsville Public Utilities Board in March, Gordon County in Georgia in March, the City of Colona in Illinois. Public sector attacks by LockBit are very, very common.”
Emsisoft estimated last year that there had been more than 39,000 incidents involving LockBit since it first emerged in 2019, a figure which has only grown. In a blog post, the firm said the group targets “organizations of all sizes, from small businesses to corporate enterprises.”
“Industries most heavily impacted by LockBit include software and services, commercial and professional services, transportation, manufacturing, and consumer services,” the post reads.
Incident comes on heels of cyberattack in Elgin County
The St. Marys ransomware attack is the second cyberattack in the immediate London region in the last several months involving a local government body.
In late March, Elgin County was hit by a cybersecurity incident which left its website and email services offline through the month of April.
Global News first reported in late April that data purporting to belong to the county had been posted to the dark web portal of the notorious Russian ransomware group Conti.
In May, county officials confirmed that thousands of county files, some containing highly sensitive personal information involving 33 people, had been posted to the dark web.
What caused the cybersecurity incident was not made public at the time, but the county’s chief administrative officer, Julie Gonyou said it was not, to their knowledge, a ransomware attack.
Conti shut down operations in June after sensitive chat logs which appeared to belong to the gang were leaked online, some of which appeared to show ties between it and the Russian government.
At the start of invasion of Ukraine, some of Conti’s members had pledged on the group’s dark web portal to “use all our possible resources to strike back at the critical infrastructures of an enemy” if Russia was attacked.
Callow says since closing, Conti members have likely started other ransomware operations and are still very much engaged with cybercrime, just under different names.
Ransomware is a growing threat to Canadian individuals and institutions, according to the Communications Security Establishment (CSE), Canada’s electronic intelligence agency.
Last month, the agency’s associate chief said in CSE’s annual report that the ransomware threat would be a “long-term problem, and something that’s going to affect Canadians for some time.”
In 2021, the agency reported it was aware of 235 ransomware attacks in Canada between January and November of that year, half of which were directed at critical infrastructure providers.
“I’m taking away from this that this is the new reality, and it’s difficult for all of us, including large and small municipalities,” said Strathdee.
“We’ve been advised that over half the municipalities in Ontario – there’s 444 municipalities in Ontario – have had cyber incidents. So this is something that all of us are dealing with.”
— with files from The Canadian Press and Alex Boutilier of Global News