A Small Canadian Town Is Being Extorted By a Global Ransomware Gang (theverge.com) 40
The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data. The Verge reports: The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit's dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted. In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts. "To be honest, we're in somewhat of a state of shock," Strathdee said. "It's not a good feeling to be targeted, but the experts we've hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7."
Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government's cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team's advice on how to engage further. Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit's standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online. The LockBit group has been responsible for 50 ransomware incidents in June 2022, "making it the most prolific global ransomware group," notes The Verge.
"In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials."
Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government's cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team's advice on how to engage further. Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit's standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online. The LockBit group has been responsible for 50 ransomware incidents in June 2022, "making it the most prolific global ransomware group," notes The Verge.
"In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials."
Once again it needs to be a crime (Score:2, Insightful)
Do that and this ransomware stuff will go away over night.
Re:Once again it needs to be a crime (Score:4, Insightful)
Re:Once again it needs to be a crime (Score:4)
The point being missed is that this about a local government. Arguments about desperate business owners who don't want to go bankrupt do not apply; as a government entity, they never can go entirely bankrupt, they also can't donate money to private people (e.g. to scammers) or without proper contract adjudication, their accounting are probably analyzed annually by a Court of Auditors, and someone can go to jail if money disappeared. A prohibition of paying ransom applying to government entities has much more applicability than it would to general business.
Government is immune (Score:2)
The 1st time a gov't has to spent $10 mil rebuilding it's IT infrastructure instead of $1m on a ransom is the last time they allow lax security. As an added bonus more tech jobs for you and me.
Abortion != Paying data ransom (Score:2)
A ransomware is paid when a company doesn't want to spend money on security, i.e. paying IT people like you and me, and finds it cheaper to pay the occasional ransom.
They're not even a little alike.
Re: Once again it needs to be a crime (Score:1)
Crime to pay and a crime to be incompetent (Score:1)
Re: (Score:2)
As with almost all science fiction pieces, however, they miss the future by a wide margin. Not because they are bad at it, but because science fiction authors tend to focus on interesting and chaotic second-order effects with lots of crinkly bits around the fjords, because, let's be honest, they sell more books that way.
If any science fiction author, famous or obscure, had submitted a story where the plot was "modern IT is a bunch of crap that organized crime exploits for extortion," it would have gotten nowhere, because that is just not credible
Re: (Score:2)
No. It needs to be against the law to HIDE that you've paid ransomware. And there need to be tax penalties for paying it, but not stiff ones. (How that would apply to a town isn't clear.) And it needs to be required that people be informed directly about what of their information has been taken. Perhaps automatic locks on credit transactions, though that needs more thinking about than I've given it.
Re: (Score:2)
People need to know when and what information has been made "public", and need to be protected against that information being used against them. You don't want to give groups a strong reason to hide that, you want the opposite. If your credit card info is circulating on the dark web, you need it to be rendered useless to anyone except you. Etc. Unfortunately, this will in itself be a tremendous nuisance, as you'll need to replace those credit cards, but it needs to be made easy and safe to do so.
Re: (Score:2)
And how would that work?
You never get your data back ...
Re: (Score:1)
You never lost it -- your data that is -- unless you are totally incompetent.
Re: (Score:2)
Obviously everyone who gets hit by a ransom ware attack is incompetent, that is why so many pay up.
Re: (Score:2)
No worries, just wait for the deadline and then download it.
was given a deadline by which to pay to have their systems unlocked or else see the data published online.
Re: (Score:2)
How can you be sure you got the right people?
Sorry, but vigilante justice is very frequently even worse injustice.
And why didn't they have a backup, exactly? (Score:2)
Tested, off-site, PULL backups. (Score:5, Insightful)
Back when I had hundreds of customers, I discovered that over half the time people THOUGHT they had backups, the backups had actually stopped working months before. If you haven't recently tested restoring your critical systems, you don't have a backup system. You only have a wish, a hope.
At the time I checked, just in Texas alone there had been a major data center fire or other catastrophe taking out a data center EVERY YEAR. If your "backup" is in the same rack as your main server, it will burn with your main server.
Ransomware gangs know about backups. So they overwrite them. If they have admin access on a server that pushes backups elsewhere, they have the ability to destroy the backups - and they will. A safe backup is PULLED by the backup system, using an account that's trash only in the main server.
* read only (Score:2)
Me and autocorrect wrote:
A safe backup is PULLED by the backup system, using an account that's trash only in the main server.
I meant:
A safe backup is PULLED by the backup system, using an account that's READ-ONLY in the main server.
Re: (Score:2)
Re: (Score:2)
You are assuming that ransomware gangs are clueless and have never done this before.
They are not stupid, and they have well-developed processes, including scripts. Those include mounting any available drives.
If your backups system consists of just a bare hard drive, no server, because you are a three person operation, plug the drive into a Raspberry Pi and download an open source backup system on the Pi. Oh and change the default password on the Pi if you used an old version that has a default. :)
Re: (Score:2)
Re: (Score:2)
> you won't be able to write to it without the correct credentials. The backup process can utilize those.
Where do you figure the backup process is going to *store* those credentials? How do you plan to prevent someone with admin credentials from replacing backup.exe with ransomware.exe?
The people who deploy ransomware as their 9-5 job have thought about this a lot more than you have.
As a security professional and for the last 25 years, me and my colleagues have also thought about it a lot, and researche
Re: (Score:2)
Ransomware is typically deployed via a trojan, via a malicious link in an email, or else exploiting a vulnerability in a web browser, all of which an ordinary user executes, not an administrator. What you are describing is typically only an issue if you have your regular user as an administrator. The regular user will have no way to access where the credentials are stored to mount the NFS drive with write permissions. At best, assuming that the attacker even were aware that an NFS drive existed some
Re: (Score:2)
I see you've chosen option B.
You've chosen to ignore everything learned by all of the experts over decades and just pretend that your first guess must be right. Because after all, that idea came from YOUR ass, so it must be right.
If you learned a bit more, you could improve your thoughts enough to be wrong, rather than ridiculous gibberish.
Re: (Score:2)
If you want to say that my first guess means that malware gets deployed on a system by initially having the same privileges as the user that originally executed it, and that administrators need to take responsibility in keeping their system patched for any known privilege escalation vulnerabilities, possibly completely disabling specific networking services entirely until patches are available then yes.... it is my first guess.
On a properly administered system, there will generally not be any way for a
Know these common backup mistakes (Score:2)
Re: (Score:2)
-1, true but useless
How much of a tax increase are you going to get to pay for that? The answer is NONE.
Heck, for a town of 7,500 the sum of all budgeted IT effort across all departments probably isn't 1 person.
Re: (Score:2)
Pull backup doesn't cost significantly more than push.
Budget is not a good excuse for you to still be using push backups 60 days from now.
Re: (Score:2)
PS - the last company I owned had a total of three employees.
That was the entire corporation - three people.
We had proper backups.
If you want, you can tell me how you and your organization are less competent and less capable than a three person company. Or, you can spend an hour to fix your shit.
Re: (Score:2)
Windows (Score:2)
When will people ever learn about Windows?
Town? (Score:2)
Re: (Score:2)
But ... the Baseball Hall of Fame is there!
OK, Canadian version, but still, you can't let an important icon of Canuckistanian culture be shuttered, or the terrorists will have won!
Windows (Score:2)
Screenshots shared on the LockBit site show the file structure of a Windows operating system....
Well there's your problem.