Canadian Town Faces Extortion Timetable
Two recent attacks show once again that ransomware gangs don’t just target large organizations to garner million-dollar payouts. On July 20th, 2022, the small town of St. Mary’s, Canada fell victim to an attack that locked and encrypted its internal server. Town leadership confirmed the attack through a public notice on the town’s government website two days later Fortunately, the attack never impacted municipal and emergency services such as water, transit, police, and fire. The perpetrators behind the attack have been identified as the LockBit ransomware gang, one of the more notorious and well-known cybercriminal organizations in the world. LockBit confirmed their involvement in the attack by publishing four screenshots on their website showing multiple sets of file trees and documents they claim were taken during the breach. The town has since been informed that they have until July 30th to pay an undisclosed ransom, at which point the group will publicize the 67 gigabytes of data they managed to successfully exfiltrate. The attack comes just one week after LockBit is taking credit for a similar attack launched against the town of Frederick, Colorado, a town of roughly twice the size of St. Mary’s on July 14th. A spokesperson for Frederick denied that any of their files had been encrypted but were confirming whether their network had been infiltrated by an unauthorized party after being notified of a $200,000 ransom demand.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
St. Mary’s staff personnel became aware of the attack at 11:00 AM on July 20th as evidence of the attack began to proliferate across the network. The town was issued a ransom note the next day informing them of the attack and what LockBit expected of them.
|CONTAINMENT (If IoCs are identified)|
According to the mayor, the town’s IT systems were shutdown and isolated to prevent the malware from spreading further. Local police were notified as well as the Canadian Centre for Cyber Security (CCCS). An outside cybersecurity team was brought in to determine the source of the attack, assess whether backups were still operational and assist internal staff in the long process of unlocking and restoring files. The town is working with legal counsel to decide if it will respond to the extortion demands. To this date, spokespeople for St. Mary’s say that a ransom has currently not been paid. Like US Federal authorities, the CCCS discourages the practice of paying the ransom.
Smaller organizations that are forced to contend with ransomware remediation often seek solutions that are easy to implement due to their limited staff, resources, and knowledge base. A popular question about ransomware recovery is whether re-imaging a system is a viable option when recovering from a ransomware attack. A system re-image will restore a system to a pristine baseline which a backup can then be restored to. This is a general recommended best practice. If a ransom is paid, then the approach is to run a decryption utility provided by the attacker on the existing encrypted system to recover the data.
You can strengthen your Incident Response Readiness (IRR) to prepare for an attack. A security assessment will help identify areas of risk and opportunities for improvement to prevent or limit the impact of a successful malware attack.