Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

LockBit claims attack on London Drugs, demands US$25m

Ransomware titan LockBit has claimed an attack on major Canadian pharmacy chain London Drugs, leading to the company shutting down its stores last week.

user icon Daniel Croft
Wed, 22 May 2024
LockBit claims attack on London Drugs, demands US$25m
expand image

The threat group yesterday (21 May) listed London Drugs on its dark web leak site, giving it a 48-hour deadline to pay US$25 million in ransom to prevent data from being released.

“With endless revenue, greedy pharma is only willing to pay 8 million, help someone help the poor pharma raise another 17 million dollars and the stolen data will not be released after 48 hours,” wrote LockBit.

While LockBit has only now listed London Drugs on its dark web blog, the cyber attack was reported on 28 April, forcing the pharmacy chain to close its 79 locations all across western Canada for several days.

============
============

“Upon discovering the incident, we immediately deployed countermeasures to secure our network and data from further malicious acts and engaged third-party cyber security experts to assist with containment, remediation, restoration and to conduct a forensic investigation to determine the cause and extent of the incident,” the company said in a statement on Saturday (18 May).

While London Drugs said there was nothing to indicate customer information was accessed in the data breach, its investigations suggest that some employee data may have been exposed after the hackers accessed some corporate files.

“We are not yet able to provide any specifics on the nature of employee personal information potentially impacted,” said an internal memo to staff seen by media.

“This is because there are a large number of unstructured corporate files that are not in [a] consistent format, and each must be individually reviewed.”

However, there is nothing to suggest the main employee-specific database was compromised.

“We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the dark web,” said London Drugs in an update yesterday.

“This is deeply distressing, and London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted as described below.”

London Drugs said that if the investigation reveals that customer data or employee-specific databases were indeed accessed in the attack, it will provide an update.

LockBit has been busy rebuilding its database of victim organisations after its site was seized by global law enforcement agencies in February.

“Operation Cronos”, a sting led by the National Crime Agency of the UK alongside law enforcement agencies from the US, Germany, Canada and Australia, saw control of the threat group’s websites taken over.

“This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” the site said.

“We can confirm that LockBit’s services have been disrupted as a result of international law enforcement action – this is an ongoing and developing operation.”

The group quickly bounced back with a major spree of cyber attacks, with 68 victims listed on 9 May alone, just days after law enforcement agencies outed one of the group’s senior hackers, Russian national Dmitry Yuryevich Khoroshev.

Many of the victims were likely attacked before the Khoroshev announcement, but it’s a sure sign that the gang does not intend to slow its operations despite the sanctions levelled at the unmasked hacker.

It had posted two victims the day before, and 15 on 7 May. In May alone – so far – the gang has claimed more than 100 victims, putting the gang on track to have its busiest month since August last year.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.