Blog

On April 28, 2024, London Drugs suffered a ransomware attack where cybercriminals stole sensitive data from its corporate head office. The attack led to the closure of all 79 stores across Western Canada until May 7 - more than a full week. The LockBit ransomware group was attributed with the attack that involved the exfiltration of files containing corporate information, including extensive internal records for London Drugs employees, immigration applications, sexual harassment complaints, and termination letters. So far, London Drugs claims that no patient or customer databases were compromised during the incident. 

In this article, we review the impact to London Drugs, the extent of the data stolen, and the company's response to ransom demands to prevent the disclosure of sensitive personal information belonging to its personnel. Finally, we will summarize the LockBit ransomware gang, their tactics, and how recent efforts from global law enforcement agencies have failed to completely shutdown LockBit attacks.

The Impact to London Drugs Operations

The cyberattack on London Drugs resulted in a complete shutdown of its operations, encompassing both store fronts and online services, lasting just over a week. This closure significantly disrupted services and operations across multiple provinces, including British Columbia, Alberta, Saskatchewan, and Manitoba. Pharmacy staff reportedly posted themselves outside stores to fill vital prescriptions for customers, but the impact to business operations was widespread and severe.

Despite the shutdown, London Drugs ensured that its staff continued to receive their salaries during the crisis and remarkably, the company even celebrated employee anniversaries amidst the turmoil. The incident underscored vulnerabilities in London Drugs’ cybersecurity framework, prompting an extensive review and immediate response aimed at enhancing its defenses against future threats.

London Drugs stated it was “unwilling and unable” to pay the demanded ransom of $25M in 48 hours to the perpetrators. However, LockBit claimed in a tweet that London Drugs offered to pay $8 million of the total demanded ransom.

Employee Data and Corporate Files Leaked to Dark Web

The attack resulted in the compromise of a diverse array of sensitive employee information stored within London Drugs' corporate files. The stolen data included financial details, personal data such as sexual harassment complaints, immigration applications, and relationship disclosures, as well as employment records like termination letters and performance assessments, emergency contacts, medical data, and electronic signatures. 

Following the attack, some of these files were published on the dark web by the LockBit ransomware gang after the company declined to meet their ransom demands. London Drugs took quick action to notify affected employees and implemented credit monitoring and identity theft protection services to reduce the potential harm to individuals that may result from the data breach.

The compromised employee data included:

• Financial information

• Personal information (e.g., sexual harassment complaints, immigration applications, relationship disclosures)

• Employment records (e.g., termination letters, performance assessments)

• Emergency contacts and behavioral complaints

• Medical data and electronic signatures

Who is the LockBit Ransomware Gang?

Lockbit may refer to both the ransomware gang, and their signature strain of malware which is capable of being automated, making it one of the most sophisticated and formidable global cybersecurity threats. LockBit was first observed in September 2019 and the most recent version, Lockbit 3.0, emerged in June 2022. LockBit malware is considered one of the most prolific strains globally and has been implicated in roughly 22% of ransomware attacks against Canadian entities and more than 40% of global ransomware attacks. 

While LockBit employs various methods to break into target networks including malicious insiders, and leveraging zero-day exploits, they are also known to exploit known vulnerabilities in public facing services. In its "second-stage," LockBit gathers network intelligence, and focuses on exfiltrating and encrypting data. Finally, LockBit posts a ransom note to the infected system's desktop directing users how they can remit money to the gang - typically via Bitcoin - to regain access to their sensitive files and prevent the attacks from posting stolen data publicly.  This tactic of extorting victims for both the decryption of files and to prevent publicly sharing stolen data is commonly known as a double extortion tactic.

In early 2024, a coordinated effort by U.S. and international law enforcement agencies was made to dismantle LockBit operations and hold its members accountable. The actions included seizing a portion of LockBit's infrastructure; public-facing websites and control servers, crucial for launching ransomware attacks and extorting victims. The FBI also laid charges in early May 2024 against a Russian national considered to be the creator, developer, and administrator of the LockBit ransomware group.  While this disruption may have prevented some attacks and allowed law enforcement to provide decryption keys to some previous victims, it has clearly not prevented the remaining members of LockBit from continuing to pillage large corporate entities.

Conclusion

The ransomware attack on London Drugs in April 2024 paralyzed operations across 79 stores in Western Canada for over a week, and further disrupted services in the other Canadian provinces. The breach resulted in the theft of sensitive corporate files, including extensive employee records like immigration applications, termination letters, and personal data such as financial information and medical records. 

Despite refusing to pay a demanded ransom of $25 million, London Drugs saw some of this compromised data leaked on the dark web. The incident highlighted vulnerabilities in the company's cybersecurity defenses, prompting immediate enhancements. Meanwhile, the LockBit ransomware gang, responsible for the attack, continues to pose a significant global threat despite recent law enforcement efforts to disrupt their operations.