A small Ontario town is in the fifth day of dealing with a ransomware attack that has encrypted data.
St. Marys, Ont., a town of about 7,500 just over an hour and a half drive north-west of Toronto, says critical municipal services, including fire, police, transit, and water/wastewater systems were unaffected by the incident and are operating as usual. Municipal staff are performing their regular duties and are available by phone, email or in person at town facilities.
Brett Kittmer, the town’s chief administrative officer, said it was hit by the LockBit 3.0 strain of ransomware. Work to restore services is going well, he said in an interview this morning.
“We are 80 per cent operational,” he said, with hopes that all data will be recovered from backups by the end of the week. “Internal staff are working away mostly normally today.”
No ransom demand has been received by the municipality. However, the LockBit gang has posted a letter it claims to be from the data it copied as proof of the attack.
The municipality is still trying to determine if any personally identifiable data was copied.
“A number of our staff have put in incredible hours to the issue,” Kittmer said, “but we’re taking some very positive steps.”
“The public likely never saw a significant impact to their services,” he said. “Our critical services like fire, utilities, police were always operational. Even our other services like recreation were operational.”
Kttmer said the town will hire a forensics firm to do a full diagnostic of the IT environment to determine how it was infected and how the municipality can better protect itself.
Last fall, a special expert panel looking into the cybersecurity problems of Ontario’s broader public sector, which includes municipalities, universities, and hospitals, issued an interim recommendation to the province on helping institutions deal with ransomware.
The final report is in the hands of the government.
According to researchers at SentinelLabs, LockBit 3.0 ransomware is an evolution of the prolific LockBit ransomware-as-a-service (RaaS) family, which has roots that extend back to BlackMatter and related entities.
After critical bugs were discovered in LockBit 2.0 in March, the strain’s authors began updating their encryption routines and adding several new features designed to thwart researchers. Other new capabilities include new management features for affiliates and the ability for victims to pay with Zcash as well as Monero and Bitcoin.
It also announced it would pay a ‘bug bounty’ to anyone finding flaws in its code.
Kittmer said the attack was discovered by IT staff on July 20th. “We noticed an issue with an external piece of software we use. They logged in to check it and immediately got what we call ‘the screen of death [the ransomware declaration].’ We were able to pull our servers offline. We believe that was an instrumental step to limiting the impact of this attack.”
As IT began to diagnose the issue, they realized that servers that held some of the data drives were encrypted.
IT is still trying to determine if there was personal information on those drives. At the moment Kittmer believes most of it would be information that a member of the public could get through a freedom of information request — “run of the mill data that a municipality needs for their day-to-day administration.”
The municipality said in a statement on its website that IT locked down the Town’s IT systems and restricted access to email. The town also notified its legal counsel, the Stratford Police Service and the Canadian Centre for Cyber Security.
The town is now working with cyber incident response experts to investigate the source of the incident, restore its backup data, and assess the impact on its information, if any. These experts are also assisting staff as they work to fully unlock and decrypt the Town’s systems, a process, the municipality admits, that could take days.
“We have a skilled and knowledgeable team of Town staff, cyber security experts, and legal counsel working around the clock to resolve any issues related to this incident,” Mayor Al Strathdee, said in a statement. “I have full confidence in our team and want to assure the public that protecting their privacy is our top priority.”
Governments are a prime target for threat actors, who believe they are vulnerable to financial demands because they provide many essential services.