At least $1.3 million has been spent by the town of St. Marys, Ont., to investigate and manage last summer’s cybersecurity incident, which saw files and servers encrypted in an attack involving the notorious ransomware LockBit 3.0, a report presented to the town’s council earlier this week says.
As well, the report reveals the town forked over a ransom of nearly $300,000 to obtain decryption keys, a decision that came on the recommendation of a third-party firm the town retained to assist it through the incident.
The ransomware attack first came to the attention of the town’s IT staff on July 20, 2022, as they were conducting a routine system backup, the report says. Staff quickly disconnected all servers, which helped prevent further systems from being impacted, it notes.
“Because of quick actions of the IT staff, the ransomware did not fully encrypt all the Town’s systems,” the report states.
“This action, combined with a strategic decision in 2020 to begin migrating the Town’s operating environment to the Cloud, meant that none of the Town’s critical services like fire, police, transit, and water/wastewater were impacted.”
In responding to the incident, outside help was brought on by way of Deloitte and Siskinds, the report says, with Deloitte serving as the town’s technical lead and forensic auditor, and Siskinds acting as incident response director.
As Global News first reported at the time, the dark web portal for LockBit claimed that at least 67 gigabytes worth of data had been stolen from the town, including confidential data and financial documents.
The town had until July 30 to pay a ransom or the data would be published, the page said, a tactic known as double extortion. No ransom was listed on the page, and it’s not clear how much had been originally sought by those involved in the attack.
Ultimately, the town opted to retain a third-party negotiator to hash out a ransom payment in exchange for decryptor keys to unlock the data. In the end, a ransom of US$200,000 in Bitcoin, or about C$290,000, was paid, the report says.
“It was a hard decision to make, but it was the recommendation of the experts that we hired to help us through this,” said Mayor Al Strathdee on Friday.
“There is no step-by-step guide or particular guidance as to how to deal with each circumstance because every circumstance is different,” he said, referring to other LockBit incidents. “We engaged the best we could with the resources we had, and it was their advice that we pay the ransom, and we did.”
The incident was deemed contained on July 22, 2022, by Deloitte, which undertook a design and rebuild of a new IT network for the town, the report says. The new network was finished and handed over to the town in November, with monitoring services provided by the Deloitte until the end of 2022.
Asked about the network improvements and security protocol updates that had been implemented in the wake of the attack, Strathdee declined to go into detail.
“One of the Deloitte’s recommendations was that we didn’t talk specific to our security and our systems because of what happened,” he said.
The town, he said, has followed the guidelines and recommendations provided by the two firms and has engaged a third party to monitor the systems on an ongoing basis.
Asked about the possibility that data stolen from the town may still be out there somewhere, even though a ransom was paid, Strathdee said he wasn’t concerned.
“It’s not a concern of mine. I believe that we acted as the experts told us, and I think that we’re secure going forward.”
It’s not clear whether St. Marys was targeted. Most ransomware attacks are done at random via malicious links in phishing emails, compromised credentials, or unpatched vulnerabilities on internet-facing networks.
Details about the attack itself remain under wraps, including how LockBit got into the town’s network, how many files were taken, and whether any included sensitive personal data of staff members or local residents.
“We have a report that was done by Deloitte, but I’m not able to release any particulars as per their advice,” Strathdee said.
“I’m not trying to be evasive. The report, I think, is pretty detailed in terms of what happened, sort of, the information we can speak to.”
LockBit is both the name of a ransomware group and the software used in the attacks. The group operates under a ransomware-as-a-service model, meaning those carrying out the attacks may not necessarily be those who created the ransomware itself.
“They effectively rent the ransomware and share a take of the proceeds with the people who created it. The people who carry out the attacks can and do work with multiple ransomware operations,” Brett Callow, a Vancouver Island-based threat analyst with Emsisoft, told Global News in July 2022.
The group is prolific and highly active, and has been implicated in hundreds of cyberattacks since it began operating in 2019. The group carried out 101 attacks in February, and has carried out more than 1,300 since January 2020, according to the digital storage firm NordLocker.
Earlier this year, Indigo Books & Music Inc. was hit by an attack involving LockBit ransomware. The incident impacted the company for a month, and saw personal information of current and former employees compromised.
LockBit ransomware was also implicated in an attack against Toronto’s Sick Kids Hospital late last year. The group later issued a brief apology, blaming the attack on one of its partners. The group provided the hospital a free decryptor. Hospital officials, however, said they did not use it.
U.S. officials allege LockBit has made at least $100 million in ransom demands and extracted tens of millions from victims.
In November, the U.S. Department of Justice charged dual Russian and Canadian citizen Mikhail Vasiliev in connection with his alleged participation in a LockBit ransomware campaign.
— with files from Tara Deschamps of The Canadian Press
Comments