A Montreal-area city was hit by ransomware over the weekend, according to a Quebec news service.
La Presse reported this morning that the city of Westmount mayor Christina Smith confirmed the attack. Westmount is a municipality of about 21,000 people within Montreal.
The Lockbit ransomware gang has claimed credit, saying it copied 14 TB of data and will release it in two weeks unless a ransom is paid. The city’s website hasn’t been affected by the attack.
LockBit’s claim shouldn’t be assumed to be accurate, cautioned Brett Callow, a British-Columbia-based threat analyst for Emsisoft – at least, not in relation to 14TB having been exfiltrated. “They’ve exaggerated in the past, and could be doing so again,” he said in an email.
According to La Presse, the attack was spotted Sunday morning by a city employee who noticed a problem with a computer.
La Press quotes Claude Vallières, the city’s head of IT, saying, “We know we have encrypted servers, but we don’t know who attacked us. We are still investigating the infected servers, but we have not had any communication with anyone…”
According to the just-released National Cyber Threat Assessment from the federal government’s Canadian Centre for Cyber Security, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. “So long as ransomware remains profitable, we will almost certainly continue to see cybercriminals deploying it,” the report says in part.
Exactly a year ago, the centre released a Ransomware Playbook with details on how to defend against and recover from a ransomware attack. “Single mitigation measures are not robust enough to combat the evolving threat of ransomware. Your organization should adopt a defence in depth (multi-layer) strategy to protect its devices, systems, and networks from not only ransomware, but other types of malware and cyber attacks. Your strategy should include several layers of defence with several mitigation measures or security controls at each layer.”
The playbook advises organizations to take the following steps:
1-create a backup plan, which includes preventing backups from being corrupted;
2-create an incident response plan, and practice the plan;
3-create a recovery plan, which starts with having an inventory of all hardware and software;
4-manage all user and administrator accounts to make sure staff aren’t using insecure passwords, and that only those who need it have access to sensitive data. Harden account logins with multifactor authentication;
5-have a cybersecurity awareness program that regularly reminds staff of how to be safe and recognize cyber threats;
6-implement cybersecurity controls, including creating an application-allow list to control who or what is allowed access to your networks and systems, a robust application patching process, and email domain protection;
7-segment the IT network to ensure sensitive and high-value information is in a separate zone of your network
8-protect systems that are connected or exposed to the Internet with encryption, firewalls, MFA, and frequent vulnerability assessments.