London Drugs hackers seek millions in ransom on claims of stolen employee data

London Drugs has confirmed that the cybersecurity breach that forced it to close stores across Western Canada for more than a week was a ransomware attack.

In a statement, the company said there remained no indication that customer or “primary employee” data was accessed. But it confirmed that the attackers were able to steal files from its corporate head office, some of which may include employee information.

Click to play video: 'London Drugs cyberattack recovery'

London Drugs cyberattack recovery

“London Drugs is unwilling and unable to pay ransom to these cybercriminals,” the company said.

Story continues below advertisement

“London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted.”

The attackers are seeking a ransom of $25 million and threatening to post the stolen data on the dark web, according to threat analyst Brett Callow, who heads Vancouver Island-based cybersecurity company Emsisoft.

Callow said notorious ransomware operation LockBit has claimed responsibility on its dark web extortion website.

LockBit has claimed London Drugs offered to pay $8 million but says it will release the stolen data if it isn’t paid the full amount within 48 hours, according to its post. London Drugs is not confirming any details about the ransom demands.

Click to play video: 'London Drugs stores reopening after ‘cybersecurity incident’'

London Drugs stores reopening after ‘cybersecurity incident’

“LockBit has been one of the most prolific ransomware operations since 2019. They have launched successful attacks against thousands of organizations,” Callow said.

Story continues below advertisement

“They are known to have reaped more than $100 million in ransom demands.”

The email you need for the day’s top news stories from Canada and around the world.

Callow said the U.K. National Crime Agency, working with international law enforcement, successfully disrupted LockBit in February.

That operation led to the arrest of two people in Poland and Ukraine and the seizure of 200 cryptocurrency accounts.

U.K. officials also unmasked the organization’s kingpin as Russian national Dmitry Khoroshev. who is now the subject of a $10 million reward posted by U.S. authorities.

“That acted as a speedbump for sure, but they do seem to still be active,” he said, adding that extraditing Khoroshev from Russia is essentially impossible.

Click to play video: 'London Drugs investigates cyberattack and possible impact on personal information'

London Drugs investigates cyberattack and possible impact on personal information

Callow said London Drugs was likely not unique as a target, explaining that ransomware attacks are “low effort” and deployed against numerous targets who the attackers believe may be able to pay.

Story continues below advertisement

The cyber racket is believed to have cost businesses as much as $1 billion last year alone, he said.

“The absolute best path is the one that London Drugs has taken, to refuse to pay,” he said.

“These people are untrustworthy bad faith actors, there is no guarantee that paying the demand will result in you either getting a key to decrypt your data or that whatever data was stolen will be deleted.”

Click to play video: 'London Drugs cybersecurity concerns continue'

London Drugs cybersecurity concerns continue

London Drugs reopened its 79 stores across Western Canada on May 7, after painstakingly rebuilding systems targeted in the April 28 attack.

The company said Tuesday it was not able to provide specifics on the nature or extent of potentially affected employee personal information.

“Our review is underway, but due to and the extent of system damage caused by this cyber incident, we expect this review will take some time to perform,” it said.

Story continues below advertisement

It said it has proactively notified all current employees and is offering 24 months of credit monitoring and identity theft protection services.

The company added it will directly contact affected employees to notify them if any personal information was compromised.

More on Crime

&copy 2024 Global News, a division of Corus Entertainment Inc.