For nearly 16 hours earlier this month, the Sunshine Coast Regional District’s website and emails were down. The cause of the service interruption has now been named: “At this time, it appears as though the SCRD has been a victim of a deliberate attempt by criminals to access information on our servers,” the district said in a Sept. 23 press release.
Since the attack to the SCRD’s computer servers on Sept. 8 and 9, the SCRD has been investigating with the help of an external cyber security firm, and has contacted the Office of the Information and Privacy Commissioner (OIPC). The Sunshine Coast RCMP are also investigating.
While the SCRD has yet to determine if any personal data was compromised, the regional district will contact anyone affected through the OIPC. More information will be disclosed when it becomes available.
The SCRD is not the only local government in B.C. to fall victim to such a cyber threat. Both the District of Squamish and the Resort Municipality of Whistler had their computer servers targeted in recent years. After a 2019 attack, the District of Squamish did not pay a ransom and no personal information was obtained, but many files were corrupted, the Squamish Chief reported.
Brett Callow, a threat analyst with Emsisoft, shared a screenshot on Twitter of the threat listed by LockBit. The screengrab shows it was posted on Sept. 21, and LockBit has given the SCRD until Oct. 4, otherwise “ALL AVAILABLE DATA WILL BE PUBLISHED!” No other information, such as what data is included, was provided.
So who — or what — is LockBit?
In an interview, Callow told Coast Reporter not much is known about who is behind LockBit or where they are based. Like other ransomware groups, LockBit steals a copy of data, attempts to lock and encrypt those targeted computer systems, then demands a sum of money to unlock the systems and destroy their copy of the stolen data. But if no payment is made, the data will be released online.
The SCRD was able to get back online fairly quickly, which Callow says indicates LockBit was unable to encrypt the systems or that the SCRD had back-ups.
The ransomware group would be intentionally vague about what information has been accessed, and will capitalize on that confusion to claim they have more than they do or that it’s more sensitive than it actually is, the threat analyst said.
“Ransomware gangs typically start by releasing information that isn’t very sensitive. It’s akin to a kidnapper sending a pinky finger,” Callow said.
While ransomware attacks have been on the rise since 2020, Callow says the number of successful extortions seems to be on the decline for local governments. It’s hard to say for sure, as not all organizations are transparent about such circumstances. LockBit, he says, probably is successful in their extortion between 20 and 50 per cent of the time.
“[In] this particular scenario, it would make absolutely no sense for the district to pay. All it would receive is a … promise from a bad faith actor,” Callow said. “There is ample evidence that groups don’t always follow through with destroying data when they’ve been paid. Some organizations have been blackmailed a second time using the same set of data that was previously destroyed after they paid initially.”
He said residents may also be contacted to put pressure on the district to respond to the demand, and they should keep an eye out for such scams.