LockBit ransomware group hit Canadian town

The Canadian town of St. Marys has been hit by a massive ransomware attack that has locked staff out of internal networks and encrypted data.

The Town of St. Marys of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22, a post on LockBit’s dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted.

The following screenshot taken from a ransomware group’s site. Text reads:

The Town of St. Marys is located at the junction of the Thames River and Trout Creek, southwest of Stratford in southwestern Ontario. Rich in natural resources, namely the Thames River, the land that now makes up St. Marys was traditionally used as hunting grounds by First Nations peoples. European settlers arrived in the early 1840s. Stolen data (67GB): financial documents, plans, department, confidential data.

Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit’s standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online.

St. Marys Mayor Al Strathdee commented on the cyber security incident:

To be honest, we’re in somewhat of a state of shock. It’s not a good feeling to be targeted, but the experts we’ve hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7.

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government’s cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team’s advice on how to engage further.

Last month, a ransomware operation that uses the LockBit 2.0 ransomware claimed to have hit Foxconn Baja California and threatened to release stolen information later, unless the victim pays up.