Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Canada Security

A Small Canadian Town Is Being Extorted By a Global Ransomware Gang (theverge.com) 40

Posted by BeauHD from the picking-on-the-little-guys dept.
The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data. The Verge reports: The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit's dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted. In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts. "To be honest, we're in somewhat of a state of shock," Strathdee said. "It's not a good feeling to be targeted, but the experts we've hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7."

Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government's cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team's advice on how to engage further. Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit's standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online. The LockBit group has been responsible for 50 ransomware incidents in June 2022, "making it the most prolific global ransomware group," notes The Verge.

"In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials."
This discussion has been archived. No new comments can be posted.

A Small Canadian Town Is Being Extorted By a Global Ransomware Gang More

A Small Canadian Town Is Being Extorted By a Global Ransomware Gang

Comments Filter:
  • to pay ransomware. And the penalties need to be extreme. In the range of 10x the cost of just paying the ransom.

    Do that and this ransomware stuff will go away over night.

    • Re:Once again it needs to be a crime (Score:4, Insightful)

      by dumb_jedi ( 955432 ) on Friday July 22, 2022 @06:43PM (#62725934)
      Of course not. the same way that making abortion a crime doesn't stop abortions, people are so desperate they'll do it anyway, just illegally now. That will prevent law enforcement from even being aware of how many incidents there are. It'd be trivial to knock out an entire country's economy by just doing ransomware attacks: companies would either go bankrupt by the ransom payment or by paying the fine. The obvious conclusion is that people will pay the ransom anyway plus a fat kickback to the police to look the other way. Congratulations, you just discovered how is to live in a third-world country (I lived in one for over forty years).

      • Re:Once again it needs to be a crime (Score:4)

        by test321 ( 8891681 ) on Friday July 22, 2022 @08:43PM (#62726152)

        The point being missed is that this about a local government. Arguments about desperate business owners who don't want to go bankrupt do not apply; as a government entity, they never can go entirely bankrupt, they also can't donate money to private people (e.g. to scammers) or without proper contract adjudication, their accounting are probably analyzed annually by a Court of Auditors, and someone can go to jail if money disappeared. A prohibition of paying ransom applying to government entities has much more applicability than it would to general business.

        • I forget the name it, but they're essentially immune from their own laws. Instead you pass a law banning gov'ts from paying ransoms. Same thing, different approach.

          The 1st time a gov't has to spent $10 mil rebuilding it's IT infrastructure instead of $1m on a ransom is the last time they allow lax security. As an added bonus more tech jobs for you and me.
      • The two aren't even remotely alike. A women's abortion has no impact on the rest of society, and there are many, many cases where it's needed to save said women's life.

        A ransomware is paid when a company doesn't want to spend money on security, i.e. paying IT people like you and me, and finds it cheaper to pay the occasional ransom.

        They're not even a little alike.
      • Exactly the on book numbers will drop. Politicians will pat themselves on the back. Meanwhile all the random attacks will go on and not be reported. People will be MORE likely to pay with out the help of the police. Not less.
    • As a Canadian, I would want it against the law to pay ransomware but I also want better IT security. At this point most security is about theatre, check boxes and closing vulnerabilities after they have been discovered. Maybe CSE (Canadian Security Establishment) should occasionally do vulnerably testing on Canadian companies and government agencies. They can fine the companies and any government agency they deem to incompetent should be banned from any internet connection. So if St. Mary can't afford t
      • This article by Poul-Henning Kamp [acm.org] has never been more apropos:

        As with almost all science fiction pieces, however, they miss the future by a wide margin. Not because they are bad at it, but because science fiction authors tend to focus on interesting and chaotic second-order effects with lots of crinkly bits around the fjords, because, let's be honest, they sell more books that way.

        If any science fiction author, famous or obscure, had submitted a story where the plot was "modern IT is a bunch of crap that organized crime exploits for extortion," it would have gotten nowhere, because that is just not credible

    • Re: (Score:2)

      by HiThere ( 15173 )

      No. It needs to be against the law to HIDE that you've paid ransomware. And there need to be tax penalties for paying it, but not stiff ones. (How that would apply to a town isn't clear.) And it needs to be required that people be informed directly about what of their information has been taken. Perhaps automatic locks on credit transactions, though that needs more thinking about than I've given it.

    • And how would that work?

      You never get your data back ...

      • You never lost it -- your data that is -- unless you are totally incompetent.

      • No worries, just wait for the deadline and then download it.

        was given a deadline by which to pay to have their systems unlocked or else see the data published online.

  • If it's important enough to even *consider* paying the ransom, it is easily important enough to keep regular timestamped backups so that you can recover to a previous point, and using a tripwire on the backup target so that no process other than the specifically designated one for creating backups can make changes to it.

    • Tested, off-site, PULL backups. (Score:5, Insightful)

      by raymorris ( 2726007 ) on Friday July 22, 2022 @07:45PM (#62726054) Journal

      Back when I had hundreds of customers, I discovered that over half the time people THOUGHT they had backups, the backups had actually stopped working months before. If you haven't recently tested restoring your critical systems, you don't have a backup system. You only have a wish, a hope.

      At the time I checked, just in Texas alone there had been a major data center fire or other catastrophe taking out a data center EVERY YEAR. If your "backup" is in the same rack as your main server, it will burn with your main server.

      Ransomware gangs know about backups. So they overwrite them. If they have admin access on a server that pushes backups elsewhere, they have the ability to destroy the backups - and they will. A safe backup is PULLED by the backup system, using an account that's trash only in the main server.

      • Me and autocorrect wrote:

        A safe backup is PULLED by the backup system, using an account that's trash only in the main server.

        I meant:
        A safe backup is PULLED by the backup system, using an account that's READ-ONLY in the main server.

        • Re: (Score:2)

          by mark-t ( 151149 )
          push backups can work (and could even be required if your backup device is simply a raw storage medium that is not regularly mounted such as an NFS disk drive which may have no no ability to "pull" content from your system), as long as you are making incremental backups, so that even if corrupted data gets backed up, before your system stops working, you can still recover to an earlier point if necessary, and that the only process in the live system that ever uses any writing credentials for the device is t

          • You are assuming that ransomware gangs are clueless and have never done this before.

            They are not stupid, and they have well-developed processes, including scripts. Those include mounting any available drives.

            If your backups system consists of just a bare hard drive, no server, because you are a three person operation, plug the drive into a Raspberry Pi and download an open source backup system on the Pi. Oh and change the default password on the Pi if you used an old version that has a default. :)

            • Re: (Score:2)

              by mark-t ( 151149 )
              You may be able to mount it, but you won't be able to write to it without the correct credentials. The backup process can utilize those.

              • > you won't be able to write to it without the correct credentials. The backup process can utilize those.

                Where do you figure the backup process is going to *store* those credentials? How do you plan to prevent someone with admin credentials from replacing backup.exe with ransomware.exe?

                The people who deploy ransomware as their 9-5 job have thought about this a lot more than you have.

                As a security professional and for the last 25 years, me and my colleagues have also thought about it a lot, and researche

                • Re: (Score:2)

                  by mark-t ( 151149 )

                  Ransomware is typically deployed via a trojan, via a malicious link in an email, or else exploiting a vulnerability in a web browser, all of which an ordinary user executes, not an administrator. What you are describing is typically only an issue if you have your regular user as an administrator. The regular user will have no way to access where the credentials are stored to mount the NFS drive with write permissions. At best, assuming that the attacker even were aware that an NFS drive existed some

                  • I see you've chosen option B.

                    You've chosen to ignore everything learned by all of the experts over decades and just pretend that your first guess must be right. Because after all, that idea came from YOUR ass, so it must be right.

                    If you learned a bit more, you could improve your thoughts enough to be wrong, rather than ridiculous gibberish.

                    • Re: (Score:2)

                      by mark-t ( 151149 )

                      If you want to say that my first guess means that malware gets deployed on a system by initially having the same privileges as the user that originally executed it, and that administrators need to take responsibility in keeping their system patched for any known privilege escalation vulnerabilities, possibly completely disabling specific networking services entirely until patches are available then yes.... it is my first guess.

                      On a properly administered system, there will generally not be any way for a

      • 1) Backups not ON site - yes they must be offsite. 2) After the backups finish, you need a PULL list, preferably a hard copy so you know which tapes have to be picked and ferried back onsite. After backups file this list. 2.5) if that someone is on holiday and that not done - well you will be up the creek ... 3) Do not have your restore programs and scripts on the same primary server - to then say we lost the restore software as well. 4) What is the password for the backups? Do we have a license key for the

      • -1, true but useless

        How much of a tax increase are you going to get to pay for that? The answer is NONE.

        Heck, for a town of 7,500 the sum of all budgeted IT effort across all departments probably isn't 1 person.

        • Pull backup doesn't cost significantly more than push.
          Budget is not a good excuse for you to still be using push backups 60 days from now.

          • PS - the last company I owned had a total of three employees.
            That was the entire corporation - three people.

            We had proper backups.

            If you want, you can tell me how you and your organization are less competent and less capable than a three person company. Or, you can spend an hour to fix your shit.

  • When will people ever learn about Windows?

  • With a population of 7,500, don't they mean village? Why is a village having to run its own IT systems? Doesn't the Canadian govt have a decent one they provide?

    • But ... the Baseball Hall of Fame is there!
      OK, Canadian version, but still, you can't let an important icon of Canuckistanian culture be shuttered, or the terrorists will have won!

  • Screenshots shared on the LockBit site show the file structure of a Windows operating system....

    Well there's your problem.

Slashdot Top Deals

The only possible interpretation of any research whatever in the `social sciences' is: some do, some don't. -- Ernest Rutherford

Close