St. Marys, Ont. grappling with cyberattack as ransomware group threatens to release stolen data

As the city of St. Marys, Ont., faced the aftermath of a cybersecurity incident Friday that locked down and encrypted its internal server, a notorious ransomware group threatened to release a tape of data allegedly belonging to the city. on the dark web.

St. Marys officials first became aware of the attack around 11 a.m. Wednesday, prompting staff to lock down the city’s computer systems and isolate its network to prevent further damage, Mayor Al Strathdee said. .

“Since that time, we realized it was a malware attack. There was a message asking for a ransom,” he said.

“We have engaged a team of experts to help us through this and secure our network and we have been able to resume some operations. We also have the support of the Ontario Provincial Police and legal counsel who are guiding us through the instructions.

Stratford Police and the Canadian Center for Cyber ​​Security (CCCS) have been notified of the incident, and city departments such as fire, police, transit, water and sewer systems have not been contacted. untouched and working as usual.

“We have the option to use email again to communicate, so that our operations from the outside, other than some access to certain files, seem normal. We are on the verge of being able to resume almost all operations” , Strathdee said.

In a news release on Friday, the city said “cyber incident response experts” were working with St. Marys to determine the source of the incident, back up data and assess any impact to its information.

“These experts are also assisting staff in their efforts to fully unlock and decrypt city systems, a process that could take days,” the statement said.

LockBit ransomware group involved

St. Marys spokesperson Brett O’Reilly confirmed to Global News that the incident was the result of the notorious LockBit ransomware group, which has been active since late 2019.

The group alleged on its dark web portal on Friday that it stole 67 gigabytes of data belonging to St. Marys, including confidential data and financial documents.

A countdown clock on the post said the city had until the afternoon of July 30 to pay the ransom or the data would be released, a tactic known as double extortion.

Four screenshots are included in the message. Two claim to show sets of file trees and two claim to be documents taken during the breach. Global News has not independently verified their authenticity and does not publish the images.

No ransom amount was listed on LockBit’s page, and Mayor Strathdee declined to say how much the group was being asked for. In ransomware cases, payment is often requested in the form of digital currency like Bitcoin.

To date, the municipality has not paid the ransom, he said. “We will act on our legal advice. Additionally, we are in contact with the Ontario Provincial Police and expect to follow their advice and we will follow legal advice at all stages.

CCCS notes that paying a ransom does not guarantee access to encrypted data, or that stolen data will be deleted by the ransomware group.

“Ultimately, the decision to pay the ransom rests with your organization, but it’s important that your organization is fully aware of the risks associated with paying the ransom,” says an unclassified “ransomware playbook” published by the agency last year.

Trending Stories

• Humboldt Broncos families react to truck driver being granted day parole

• Over $500,000 raised for pizza delivery man who saved 5 people from burning house

“For example, threat actors can use erasure malware, which permanently alters or deletes your files after you pay the ransom. The payment can also be used to fund and support other illicit activities.

The LockBit ransomware group operates on a ransomware-as-a-service model, which means the people carrying out the attacks aren’t necessarily the ones who created the ransomware, said island-based threat analyst Brett Callow. of Vancouver for cybersecurity firm Emsisoft.

“They effectively rent the ransomware and share some of the profits with the people who created it. The people carrying out the attacks can and do work with multiple ransomware operations,” he said.

“They attempt to encrypt their target’s network and they also steal data, so even if the target is able to restore their system from backups, there remains the problem of what to do with the stolen data.”

It is not clear if the town was targeted for any particular reason. The majority of ransomware attacks are carried out randomly via malicious links in phishing emails, compromised credentials, or unpatched vulnerabilities on internet-connected networks.

Callow described the LockBit ransomware group as “prolific” and very active, having carried out a “significant number” of attacks in the last seven months alone against several public sector institutions south of the border.

“University of Detroit Mercy, National College University, Mercyhurst University in Pennsylvania, Val Verde Regional Medical Center in Texas,” Callow listed.

“The city of Plainview in Minnesota, Hercules in California, the Brownsville Public Utilities Board in March, Gordon County in Georgia in March, the city of Colona in Illinois. Public sector attacks by LockBit are very, very common.

Emsisoft estimated last year that there had been more than 39,000 incidents involving LockBit since it first appeared in 2019, a figure that has only grown. In a blog post, the company said the target group “organizations of all sizes, from small businesses to large enterprises.”

“Industries most affected by LockBit include software and services, business and professional services, transportation, manufacturing, and consumer services,” the post reads.

The incident follows a cyberattack in Elgin County

The St. Marys ransomware attack is the second cyberattack in the immediate London area in recent months involving a local government body.

In late March, Elgin County was hit by a cybersecurity incident that left its website and email services offline throughout April.

Global News first reported in late April that data claiming to belong to the county had been published on the dark web portal of notorious Russian ransomware group Conti.

In May, county officials confirmed that thousands of county files, some containing highly sensitive personal information about 33 people, had been posted on the dark web.

The cause of the cybersecurity incident was not made public at the time, but county administrative manager Julie Gonyou said it was not, to their knowledge, an attack by ransomware.

Conti ended his operations in June after sensitive chat logs that appeared to belong to the gang were leaked online, some of which appeared to show links between him and the Russian government.

Early in the invasion of Ukraine, some Conti members had pledged on the group’s dark web portal to “use all our resources possible to retaliate against an enemy’s critical infrastructure” if Russia were attacked.

Callow says that since the shutdown, Conti members have likely launched other ransomware operations and are still heavily involved in cybercrime, just under different names.

According to the Communications Security Establishment (CSE), Canada’s electronic intelligence agency, ransomware is a growing threat to Canadian individuals and institutions.

Last month, the agency’s deputy chief said in CSE’s annual report that the ransomware threat would be a “long-term problem, and something that’s going to affect Canadians for some time.”

In 2021, the agency reported that it was aware of 235 ransomware attacks in Canada between January and November of that year, half of which targeted critical infrastructure providers.

“I take it this is the new reality and it’s difficult for all of us, including municipalities large and small,” Strathdee said.

“We have been informed that more than half of the municipalities in Ontario – there are 444 municipalities in Ontario – have experienced cyber incidents. So it’s something we all face.

— with files from The Canadian Press and Alex Boutilier of Global News