'It was a surprise to us': Town of St. Marys cyberattack cost $1.3M, including $290K in Bitcoin ransom
A report released Monday by the Town of St. Marys shows the cyber incident which crippled the Perth County community’s computer systems in July of last year cost $1.3 million, including a ransom payment of $290,000 in bitcoin.
The town said it received communication from the “threat actor” who indicated they had successfully completed an unauthorized transfer of sensitive data.
The claim was investigated, and the town determined it to be credible enough to warrant legitimate concern about a breach of privacy if the threat actor released the data on the Dark Web.
The report says a third party negotiator was retained, and council negotiated a ransom payment with the threat actor for the return of the town’s information.
Ultimately, a ransom of $290,000 in Bitcoin was agreed upon to and sent to the threat actor.
“The ransom was paid to the threat actor in exchange for decryptor keys to be provided for encrypted systems and for the stolen data to be destroyed,” the report reads.
The report comes around nine months after the town suffered the ransomware attack, which resulted in the town locking down its IT systems and restricting access to email.
"We reacted quickly. It could have been a lot worse than it was, and we came up with a plan against the experts right away so things I feel very proud of the actions to the staff, and I can say with certainty to the public that we did the best we can," St. marys Mayor Al Strathdee told CTV News London Thursday.
Adding: "We were in the process of making our systems more secure in migrating things to the cloud, ànd putting systems in place. So, a lot of money we spent we had planned to spend, but we had to spend it all at once as opposed to over time, which is normally how we do business."
The cyberattack occurred on July 20, 2022, with the threat actor deploying LockBit 3.0 onto the town’s systems, encrypting various servers and files.
“The infiltration was discovered quickly by IT staff during their routine Wednesday morning back-up of systems,” the report reads. “Town staff responded by immediately disconnecting all servers, which prevented the ransomware from further infiltrating the town’s systems.”
The town said it began migrating critical services, like fire, police, transit, and water/wastewater, to the cloud in 2020, which it says helped prevent any of these operations from being compromised.
The town said it maintained about 80 per cent of functionality after the attack.
In the days following the attack, the town retained Siskinds LLP and Deloitte LLP to act as technical leads and audit the incident. The companies also investigated the incident to determine its nature, scope, and impact to inform containment, remediation and recovery.
Deloitte determined the cyber incident to be contained by July 28, 2022.
The company then expanded its services to include a design and rebuild of the towns IT network.
“The rebuild of the new network was completed by Deloitte and was handed over to the town at the beginning of November 2022. Deloitte’s cyber monitoring services continued until December 31, 2022,” the report says.
The cost to rebuild the network system came with a price tag of $440,133.
The town spent $860,970 on incident management and investigation and ransom.
The town said it is undertaking regular cyber security assessments to identify further steps that can be taken to enhance security.
This will include revisions to policies and continued staff education.
The town’s council has approved the hiring of additional staff resources to assist with data management and retention processes.
On Friday, Strathdee told CTV he feels confident now that a third-party is monitoring their systems often.
“It was a surprise to us because we thought that we were well protected,” Strathdee said. “It is a ridiculous world of cyber-attacks and what’s going on in gangs.”
PREVENTING CYBER INCIDENTS
Cyber security experts at eSentire told CTV News, victims paying ransoms isn’t uncommon, especially when it’s paid in bitcoin.
“With cryptocurrency, they can hide that connection back to them in ways,” Spence Hutchinson said, a staff threat intelligence researcher at eSentire. “Victims are paying the ransom about 40 per cent of the time, if you look at 2022 data. That figures actually trending downward somewhat over the years.”
Hutchinson said to prevent cyber incidents, it’s best to try and catch it before the encryption phase.
“The longer you wait, the longer the ransom ware actor has time to identify you as a target of interest, activate the foothold in your network and break out of an initial compromise in your system,” he said.
eSentire said what was used in St. Marys’ case, LockBit, is a sophisticated malicious ransomware.
“So far in 2023 alone, LockBit has claimed over 200 victims on their leak site,” he said. “In a lot of cases, they don’t only encrypt data, they also steal data. And then hold it as part of the ransom. And that’s called double extortion.
With files from CTV News London
CTVNews.ca Top Stories
Prime Minister Trudeau meets Donald Trump at Mar-a-Lago
Prime Minister Justin Trudeau landed in West Palm Beach, Fla., on Friday evening to meet with U.S.-president elect Donald Trump at Mar-a-Lago, sources confirm to CTV News.
'Mayday! Mayday! Mayday!': Details emerge in Boeing 737 incident at Montreal airport
New details suggest that there were communication issues between the pilots of a charter flight and the control tower at Montreal's Mirabel airport when a Boeing 737 made an emergency landing on Wednesday.
Hit man offered $100,000 to kill Montreal crime reporter covering his trial
Political leaders and press freedom groups on Friday were left shell-shocked after Montreal news outlet La Presse revealed that a hit man had offered $100,000 to have one of its crime reporters assassinated.
Questrade lays off undisclosed number of employees
Questrade Financial Group Inc. says it has laid off an undisclosed number of employees to better fit its business strategy.
Cucumbers sold in Ontario, other provinces recalled over possible salmonella contamination
A U.S. company is recalling cucumbers sold in Ontario and other Canadian provinces due to possible salmonella contamination.
Billboard apologizes to Taylor Swift for video snafu
Billboard put together a video of some of Swift's achievements and used a clip from Kanye West's music video for the song 'Famous.'
Musk joins Trump and family for Thanksgiving at Mar-a-Lago
Elon Musk had a seat at the family table for Thanksgiving dinner at Mar-a-Lago, joining President-elect Donald Trump, Melania Trump and their 18-year-old son.
John Herdman resigns as head coach of Toronto FC
John Herdman, embroiled in the drone-spying scandal that has dogged Canada Soccer, has resigned as coach of Toronto FC.
Weekend weather: Parts of Canada could see up to 50 centimetres of snow, wind chills of -40
Winter is less than a month away, but parts of Canada are already projected to see winter-like weather.