Cyberattack cost Ontariol town $1.3M, including $290k in Bitcoin ransom | Northern News

Cyberattack cost Ontariol town $1.3M, including $290k in Bitcoin ransom
A cyberattack on the Town of St. Marys that encrypted municipal systems and stole sensitive data cost the local government roughly $1.3 million, including a $290,000 Bitcoin ransom payment made to the hackers, officials have revealed.

Author of the article:Galen Simmons • Stratford Beacon Herald
Published Apr 13, 2023 • Last updated 1 week ago • 4 minute read
Join the conversation
St. Marys Town Hall on Queen Street in St. Marys, Ont. (Derek Ruttan/The London Free Press)
St. Marys Town Hall on Queen Street in St. Marys, Ont. (Derek Ruttan/The London Free Press)
Article content
A cyberattack on St. Marys that hijacked civic computer systems and stole sensitive data cost the Perth County town roughly $1.3 million, including a $290,000 Bitcoin ransom payment paid to the hackers responsible, town officials have revealed.

Advertisement 2
STORY CONTINUES BELOW
This advertisement has not loaded yet, but your article continues below.
Article content
Cyberattack cost Ontariol town $1.3M, including $290k in Bitcoin ransom
Close sticky video
The fallout of the latest in a series of cyberattacks on small towns and cities in Southwestern Ontario was laid out in a report to municipal politicians in the town, with the mayor saying the attack could have been much worse.

“It’s pretty clear that staff acting quickly and effectively is why it wasn’t. The timing was terrible. We’d just gone through a stressful time with COVID. We were working toward more secure systems, so what it did is speed up our whole process, and we spent a whole bunch of money that we planned to spend over three or four years,” St. Marys Mayor Al Strathdee said.

Two days after the town’s computer systems were crippled in the July 20, 2022, ransomware attack, St. Marys cybersecurity experts received a ransom demand from LockBit, a hacker group that claimed to have extracted encrypted sensitive data from municipal servers. An investigation determined the group’s claim to be credible enough to warrant serious concern about the privacy breach if the data was release on the Dark Web, an area of the internet where users can access unindexed web content anonymously through special browsers.

Article content
Advertisement 3
STORY CONTINUES BELOW
This advertisement has not loaded yet, but your article continues below.
Article content
The town hired a third-party negotiator to arrange a ransom payment, ultimately sending $290,000 in Bitcoin to the hackers in exchange for keys to the computer systems that had been encrypted during the ransomware attack and a promise to destroy all of the stolen information.

As of Dec. 31, 2022, Deloitte, the cybersecurity consultants hired by St. Marys in the wake of the attack, had confirmed, through monitoring hacker chatter, that the town’s sensitive data had not been released to the public or on the Dark Web.

“Residents can rest assured that the data is secure and we’re doing the best we can,” Strathdee said.

The hackers responsible for the attack used software known as LockBit 3.0 – the inspiration for the group’s name – to encrypt the town’s various computer servers and data files.

Advertisement 4
STORY CONTINUES BELOW
This advertisement has not loaded yet, but your article continues below.
Article content
The town’s IT staff actually discovered the cyberattack during a routine systems backup, prompting them to immediately disconnect all of the municipal services, which prevented the ransomware from doing further damage.

That early discovery, coupled with a strategic decision in 2020 to begin migrating the town’s operating environment to the cloud, meant critical municipal systems like police and transit were not compromised, officials said. There was little disruption to St. Marys’ public-facing services, with the exception of some online bookings and payments.

Internally, the staff report revealed, staff maintained an 80 per cent functionality after the attack.

“We were working toward better security. We were aware of the environment. We were aware of the issues, but I’m not so sure that, without a huge amount of money spent, we could have prevented what happened,” Strathdee said.

Advertisement 5
STORY CONTINUES BELOW
This advertisement has not loaded yet, but your article continues below.
Article content
Immediately after identifying the attack, the town triggered its emergency response plan. Law firm Siskinds LLP was hired to direct the incident response and help navigate the complexities of data security while Deloitte LLP was retained as the technical lead and forensic auditor. Deloitte also led the investigation into the attack, helping determine its nature and extent.

Deloitte investigators determined the cyberattack to be contained by July 28, 2022, and, in August, began work on designing and rebuilding a new IT network for the town. After completing that work in November, the consultants continued monitoring town services until December.

“I think we’re in a better place now,” Strathdee said of the network rebuild that alone cost the town more than $440,000. “We’ve had it evaluated by Deloitte and we’ve also had a third party come in subsequent to Deloitte finishing up to test their system on a regular basis and provide monitoring for any issues that could arise. We’ve done a lot of staff training and everyone in our corporation has a number of measures (in place) as a result of recommendations.”

Advertisement 6
STORY CONTINUES BELOW
This advertisement has not loaded yet, but your article continues below.
Article content
Prior to the St. Marys incident, Elgin County had fallen victim to a cyberattack that knocked out its website and email system for more than a month and compromised the personal and, in some cases, highly sensitive information of more than 300 employees, long-term care residents and former care residents.

In 2019, a crippling cyberattack on Stratford’s computer systems led the city to pay a ransom of more than $75,000 in Bitcoin while a similar attack the same year against the City of Woodstock cost more than $1 million to restore services without paying the ransom.

“The inference is that these smaller towns . . . are not devoting the strength they need to devote to securing the data that they have,” Ann Cavoukian, former Ontario privacy commissioner and now executive director of Global Privacy and Security By Design Centre, said in the wake of the St. Marys attack. “It poses a great threat and it concerns me that municipalities are not taking the measures necessary to secure their data.”