Skip to main content

'It was a surprise to us': Town of St. Marys cyberattack cost $1.3M, including $290K in Bitcoin ransom

Share

A report released Monday by the Town of St. Marys shows the cyber incident which crippled the Perth County community’s computer systems in July of last year cost $1.3 million, including a ransom payment of $290,000 in bitcoin.

The town said it received communication from the “threat actor” who indicated they had successfully completed an unauthorized transfer of sensitive data.

The claim was investigated, and the town determined it to be credible enough to warrant legitimate concern about a breach of privacy if the threat actor released the data on the Dark Web.

The report says a third party negotiator was retained, and council negotiated a ransom payment with the threat actor for the return of the town’s information.

Ultimately, a ransom of $290,000 in Bitcoin was agreed upon to and sent to the threat actor.

“The ransom was paid to the threat actor in exchange for decryptor keys to be provided for encrypted systems and for the stolen data to be destroyed,” the report reads.

The report comes around nine months after the town suffered the ransomware attack, which resulted in the town locking down its IT systems and restricting access to email.

"We reacted quickly. It could have been a lot worse than it was, and we came up with a plan against the experts right away so things I feel very proud of the actions to the staff, and I can say with certainty to the public that we did the best we can," St. marys Mayor Al Strathdee told CTV News London Thursday.

Adding: "We were in the process of making our systems more secure in migrating things to the cloud, ànd putting systems in place. So, a lot of money we spent we had planned to spend, but we had to spend it all at once as opposed to over time, which is normally how we do business."

The cyberattack occurred on July 20, 2022, with the threat actor deploying LockBit 3.0 onto the town’s systems, encrypting various servers and files.

“The infiltration was discovered quickly by IT staff during their routine Wednesday morning back-up of systems,” the report reads. “Town staff responded by immediately disconnecting all servers, which prevented the ransomware from further infiltrating the town’s systems.”

The town said it began migrating critical services, like fire, police, transit, and water/wastewater, to the cloud in 2020, which it says helped prevent any of these operations from being compromised.

The town said it maintained about 80 per cent of functionality after the attack.

In the days following the attack, the town retained Siskinds LLP and Deloitte LLP to act as technical leads and audit the incident. The companies also investigated the incident to determine its nature, scope, and impact to inform containment, remediation and recovery.

Deloitte determined the cyber incident to be contained by July 28, 2022.

The company then expanded its services to include a design and rebuild of the towns IT network.

“The rebuild of the new network was completed by Deloitte and was handed over to the town at the beginning of November 2022. Deloitte’s cyber monitoring services continued until December 31, 2022,” the report says.

The cost to rebuild the network system came with a price tag of $440,133.

The town spent $860,970 on incident management and investigation and ransom.

The town said it is undertaking regular cyber security assessments to identify further steps that can be taken to enhance security.

This will include revisions to policies and continued staff education.

The town’s council has approved the hiring of additional staff resources to assist with data management and retention processes.

On Friday, Strathdee told CTV he feels confident now that a third-party is monitoring their systems often.

“It was a surprise to us because we thought that we were well protected,” Strathdee said. “It is a ridiculous world of cyber-attacks and what’s going on in gangs.”

PREVENTING CYBER INCIDENTS

Cyber security experts at eSentire told CTV News, victims paying ransoms isn’t uncommon, especially when it’s paid in bitcoin.

“With cryptocurrency, they can hide that connection back to them in ways,” Spence Hutchinson said, a staff threat intelligence researcher at eSentire. “Victims are paying the ransom about 40 per cent of the time, if you look at 2022 data. That figures actually trending downward somewhat over the years.”

Hutchinson said to prevent cyber incidents, it’s best to try and catch it before the encryption phase.

“The longer you wait, the longer the ransom ware actor has time to identify you as a target of interest, activate the foothold in your network and break out of an initial compromise in your system,” he said.

eSentire said what was used in St. Marys’ case, LockBit, is a sophisticated malicious ransomware.

“So far in 2023 alone, LockBit has claimed over 200 victims on their leak site,” he said. “In a lot of cases, they don’t only encrypt data, they also steal data. And then hold it as part of the ransom. And that’s called double extortion.

With files from CTV News London

CTVNews.ca Top Stories

Stay Connected