'It was a surprise to us': Town of St. Marys cyberattack cost $1.3M, including $290K in Bitcoin ransom
A report released Monday by the Town of St. Marys shows the cyber incident which crippled the Perth County community’s computer systems in July of last year cost $1.3 million, including a ransom payment of $290,000 in bitcoin.
The town said it received communication from the “threat actor” who indicated they had successfully completed an unauthorized transfer of sensitive data.
The claim was investigated, and the town determined it to be credible enough to warrant legitimate concern about a breach of privacy if the threat actor released the data on the Dark Web.
The report says a third party negotiator was retained, and council negotiated a ransom payment with the threat actor for the return of the town’s information.
Ultimately, a ransom of $290,000 in Bitcoin was agreed upon to and sent to the threat actor.
“The ransom was paid to the threat actor in exchange for decryptor keys to be provided for encrypted systems and for the stolen data to be destroyed,” the report reads.
The report comes around nine months after the town suffered the ransomware attack, which resulted in the town locking down its IT systems and restricting access to email.
"We reacted quickly. It could have been a lot worse than it was, and we came up with a plan against the experts right away so things I feel very proud of the actions to the staff, and I can say with certainty to the public that we did the best we can," St. marys Mayor Al Strathdee told CTV News London Thursday.
Adding: "We were in the process of making our systems more secure in migrating things to the cloud, ànd putting systems in place. So, a lot of money we spent we had planned to spend, but we had to spend it all at once as opposed to over time, which is normally how we do business."
The cyberattack occurred on July 20, 2022, with the threat actor deploying LockBit 3.0 onto the town’s systems, encrypting various servers and files.
“The infiltration was discovered quickly by IT staff during their routine Wednesday morning back-up of systems,” the report reads. “Town staff responded by immediately disconnecting all servers, which prevented the ransomware from further infiltrating the town’s systems.”
The town said it began migrating critical services, like fire, police, transit, and water/wastewater, to the cloud in 2020, which it says helped prevent any of these operations from being compromised.
The town said it maintained about 80 per cent of functionality after the attack.
In the days following the attack, the town retained Siskinds LLP and Deloitte LLP to act as technical leads and audit the incident. The companies also investigated the incident to determine its nature, scope, and impact to inform containment, remediation and recovery.
Deloitte determined the cyber incident to be contained by July 28, 2022.
The company then expanded its services to include a design and rebuild of the towns IT network.
“The rebuild of the new network was completed by Deloitte and was handed over to the town at the beginning of November 2022. Deloitte’s cyber monitoring services continued until December 31, 2022,” the report says.
The cost to rebuild the network system came with a price tag of $440,133.
The town spent $860,970 on incident management and investigation and ransom.
The town said it is undertaking regular cyber security assessments to identify further steps that can be taken to enhance security.
This will include revisions to policies and continued staff education.
The town’s council has approved the hiring of additional staff resources to assist with data management and retention processes.
On Friday, Strathdee told CTV he feels confident now that a third-party is monitoring their systems often.
“It was a surprise to us because we thought that we were well protected,” Strathdee said. “It is a ridiculous world of cyber-attacks and what’s going on in gangs.”
PREVENTING CYBER INCIDENTS
Cyber security experts at eSentire told CTV News, victims paying ransoms isn’t uncommon, especially when it’s paid in bitcoin.
“With cryptocurrency, they can hide that connection back to them in ways,” Spence Hutchinson said, a staff threat intelligence researcher at eSentire. “Victims are paying the ransom about 40 per cent of the time, if you look at 2022 data. That figures actually trending downward somewhat over the years.”
Hutchinson said to prevent cyber incidents, it’s best to try and catch it before the encryption phase.
“The longer you wait, the longer the ransom ware actor has time to identify you as a target of interest, activate the foothold in your network and break out of an initial compromise in your system,” he said.
eSentire said what was used in St. Marys’ case, LockBit, is a sophisticated malicious ransomware.
“So far in 2023 alone, LockBit has claimed over 200 victims on their leak site,” he said. “In a lot of cases, they don’t only encrypt data, they also steal data. And then hold it as part of the ransom. And that’s called double extortion.
With files from CTV News London
CTVNews.ca Top Stories
![](https://www.ctvnews.ca/polopoly_fs/1.6940995.1719358769!/httpImage/image.jpg_gen/derivatives/landscape_800/image.jpg)
Things a pediatrician would never let their child do
As summer begins for most children around Canada, CTV News spoke with a number of pediatric health professionals about the best practices for raising kids, and how the profession has evolved since the COVID-19 pandemic.
Should he stay or should he go now? A look at Trudeau's options after byelection loss
A historic defeat for the Liberals in a downtown Toronto byelection has put a glaring question mark on Prime Minister Justin Trudeau's political future. Here's a look at the options Trudeau and the Liberals face as they enter a summer of soul-searching.
Alabama man denied office after winning election reaches proposed settlement to become town's first Black mayor
An Alabama town and a Black man who was prevented from becoming its mayor after winning his 2020 election have reached a proposed settlement, according to federal court documents.
'Why did I have this surgery?' Ont. mother seeks answers after son's tonsil surgery
An Ontario mother said it looked like a horror movie when she flicked on the lights of her son’s bedroom to find him projectile vomiting blood after his tonsils were removed at McMaster Children’s Hospital.
One of Canada's most popular vehicles recalled over transmission issue; 95,000 impacted
One of the country's most popular vehicles is being recalled in Canada due to a transmission issue that may impact tens of thousands of drivers.
New experience in Halifax gets people up close and personal to the ocean's most feared predator
Atlantic Shark Expeditions launched a new shark cage experience which gives brave attendees a chance to get up close and personal with the oceans most feared predator.
Many older adults are still taking daily aspirin, even though some shouldn't be, experts say
Some seniors continue to take a daily aspirin in the hopes of reducing their cardiovascular disease risk, even though the practice is only recommended for certain high-risk patients -- and taking it without a doctor's recommendation can come with significant risks.
Flatulent cows and pigs will face a carbon tax in Denmark, a world first
Denmark will tax livestock farmers for the greenhouse gases emitted by their cows, sheep and pigs from 2030, the first country in the world to do so as it targets a major source of methane emissions, one of the most potent gases contributing to global warming.
Pre-med students can't take MCAT in Quebec because of Bill 96
Areeba Ahmed says she's always dreamed of becoming a surgeon but her road to the operating room has become a complicated one ever since Quebec's French language law came into effect.