The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit’s dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted.
In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts.
“To be honest, we’re in somewhat of a state of shock,” Strathdee said. “It’s not a good feeling to be targeted, but the experts we’ve hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7.”
Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government’s cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team’s advice on how to engage further.
Screenshots shared on the LockBit site show the file structure of a Windows operating system, containing directories corresponding to municipal operations like finance, health and safety, sewage treatment, property files, and public works. Per LockBit’s standard operating methods, the town was given a deadline by which to pay to have their systems unlocked or else see the data published online.
Brett O’Reilly, communications manager for the town of St. Marys, directed The Verge to a press statement issued by St. Marys in which the town gave further details. Per the statement, essential municipal services like transit and water systems have been unaffected by the incident, and the town is attempting to unlock IT systems and restore backup data.
According to an analysis by Recorded Future, the LockBit group alone took credit for 50 ransomware incidents in June 2022, making it the most prolific global ransomware group. In fact, St. Marys is the second small town to be targeted by LockBit in the space of just over a week: on July 14th, LockBit listed data from the town of Frederick, Colorado (population 15,000) as having been hacked, a claim that is currently under investigation by town officials. The LockBit listing for Frederick currently demands a ransom of $200,000 not to publish the data.
Increasingly, smaller municipalities are finding themselves the targets of sophisticated global ransomware groups with extensive technical knowledge and resources. In March, the FBI cyber division published a notification to private industry partners of government agencies, noting that ransomware attacks were “straining local US governments and public services.”