A report on the cyber attack against the Town of St. Marys that occurred last summer was presented to town council on Tuesday night.
The ransomware attack against the Town's systems, in July, 2022, has so far cost just over $1.3 million, including $860,970 for incident management and $440,133 for a network system rebuild.
Council negotiated a ransom payment with the threat actor for the return of the Town’s information. A third-party negotiator was retained, and a ransom payment of $290,000 in bitcoin was agreed to, which is part of the incident management portion.
In an interview Wednesday morning, St. Marys Mayor Al Strathdee told StratfordToday that the cyber attack was a difficult situation and stressful for town staff.
"It is happening more and more. You flip on the news and see something like this happening all the time."
"Unfortunately, it is a common thing in the municipal and business worlds."
All of the money from the incident is coming from the town's coffers, not from insurance, Strathdee confirmed. The town was, however, in the midst of rebuilding their network system so some of that portion was already budgeted.
"A plan was in place and we were going to spend that money over time."
The "threat actor" deployed LockBit 3.0 onto the Town’s systems, encrypting various servers and files, according to the report.
IT staff found out during a routine Wednesday morning back-up of systems. Town staff disconnected all servers, which prevented ransomware from further infiltrating systems.
The ransomware did not fully encrypt all of the Town’s systems. Quick reaction by IT staff and a strategic decision in 2020 to begin migrating the Town’s operating environment to the Cloud, ensured that none of the Town’s critical services - fire, police, transit, and water/wastewater - were impacted, per the report.
Strathdee said the report noted the Town had sufficient safeguards in place for a community of its size and he doesn't think staff could have reacted any quicker than they did.
There was little service disruption with the exception of some online and in-person services being unavailable, such as bbookings and payments, for local residents. Internally, staff maintained about 80 per cent functionality following the attack.
The Town initiated its emergency response plan and called together an internal response team on July 20. Siskinds LLP was retained the following day to act as the incident response director. The Town also retained Deloitte LLP on July 25 to act as technical lead and forensic auditor, to provide overall management of the incident response, ensure that incident response processes were sound and aligned with good practices, investigate the incident to determine its nature, scope, and impact, and to inform containment, remediation and recovery.
Deloitte determined the cyber incident to be contained by July 28. In August, Deloitte’s scope expanded to include a design and rebuild of a new IT network. The network rebuild was completed by Deloitte and handed over to the Town at the beginning of November.
Deloitte’s cyber monitoring continued until December 31.
On July 22, the "threat actor" sent communication to the Town’s cyber security experts asserting they had exfiltrated sensitive data.
The ransom was paid in exchange for decryptor keys for encrypted systems, and for stolen data to be destroyed. After the ransom was paid, the decryptor keys were received and references to St. Marys’ vulnerabilities and exposures, ongoing or future attacks against St. Marys and attempted sale or data dumps containing St. Marys information confirmed that nothing was released in the public realm or on the Dark Web, the report states.
The Town is undertaking regular cyber security assessments to identify further steps to enhance security. That will include revisions to policies and continued staff education.
Council has approved hiring additional staff resources to assist with data management and retention processes.