Skip to content
Join our Newsletter

London Drug ransom demand dropped from dark-web site; meaning unclear

In some cases, such a move has meant the ransomware victim has agreed to pay or negotiate, an expert says. London Drugs said Tuesday it is “unwilling and unable to pay ransom to these cybercriminals.” 
web1_vka-londondrugs-10772
A London Drugs store in Colwood. DARREN STONE, TIMES COLONIST

A ransomware gang is threatening to release confidential data it claims to have stolen from London Drugs if it isn’t paid $25 million by Thursday. 

The retailer and pharmacy chain closed all of its 79 stores in Western Canada after a cybersecurity breach was discovered on April 28. Stores, including ones on Vancouver Island, weren’t fully reopened until May 7. 

On Tuesday, London Drugs confirmed to the Times Colonist that the cyberattack was orchestrated by a “sophisticated group of global cybercriminals” that took electronic files from its corporate head office. 

While the company did not name the group responsible for the attack, ransomware syndicate LockBit on Tuesday posted a notice on a dark-web site where stolen information is posted threatening to release the data it had stolen unless it was paid $25 million in the next 48 hours. 

On Wednesday, LockBit dropped London Drugs from its listings. 

Shawnigan Lake-based threat analyst Brett Callow, who works for anti-malware and anti-virus software firm Emsisoft, said in some cases, such a move has meant the ransomware victim has agreed to pay or negotiate. 

Asked about the relevance of the dropped listing on Wednesday, Tartanbond senior vice-president Jessica Harcombe Fleming, representing London Drugs, said that she’s not aware of what’s posted or not posted. “It’s out of our control.” 

Harcombe Fleming said the company had nothing to add from its statement Tuesday, when it said it is “unwilling and unable to pay ransom to these cybercriminals.” 

Callow said Emsisoft was aware of the initial listing “pretty much straightaway” due to trackers the company has on the dark net. 

LockBit claimed that London Drugs had offered to pay an $8-million ransom, without providing any evidence. 

The group also did not provide any details about the data it claims to have stolen. 

On Tuesday, London Drugs said it believes no customer, patient or employee databases were compromised. 

“Should this change as the investigation continues, we will notify affected individuals in accordance with privacy laws,” it said, adding that a review of the cyber incident is still ongoing. 

London Drugs is taking “all available steps” to mitigate impacts from the ransom attack, including notifying all of its current employees of the potential effects, the statement said. 

It is providing 24 months of free credit monitoring and identity-theft protection services, the statement said. 

The company did not make anyone available for an interview Tuesday. 

Callow said there’s no reason to believe there’s any connection between any of the recent cyberattacks that hit B.C.-based organizations, such as the B.C. Libraries Cooperative and the three cybersecurity attacks on the provincial government since April 10. “The government and London Drugs will undoubtedly have been in contact, but there are thousands of these incidents every year.” 

LockBit alone had several dozen ransomware threats on its site on Tuesday. The group is among the most prolific ransomware syndicates in the world, accounting for 23 per cent of nearly 4,000 attacks globally last year, according to cybersecurity firm Palo Alto Networks. 

There is a “very real risk” that LockBit will carry out its threat and release the data if the ransom isn’t paid, Callow said. 

It’s impossible to know exactly what information the group has obtained from London Drugs, he said. “I’ve seen numerous past cases where organizations have had to walk back their initial statements … they had to admit that it had been compromised when the ransomware group released the data.” 

In February, law-enforcement agencies led by Britain’s National Crime Agency arrested two people in Poland and Ukraine and seized 200 cryptocurrency accounts in an international operation targeting LockBit. 

At the time, U.S. Attorney General Merrick Garland said the agencies obtained decryption keys that could help victims decrypt their captured systems and regain access to their data during that bust. 

One dual Russian-Canadian national, Mikhail Vasiliev, is in custody in Canada in connection with LockBit and is awaiting extradition to the United States. 

Authorities have said that there’s no evidence that LockBit, which is dominated by Russian-speakers and does not attack former Soviet nations, is a state-backed group. 

London Drugs has about 8,000 employees, according to its website. 

[email protected]