Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Threatens to Leak Stolen Data; Attack Temporarily Shut Down Retail Pharmacy Stores
Russian-speaking cybercriminals demanded a $25 million ransom from Canadian pharmacy retail chain London Drugs following an attack detected in late April that forced the company to temporarily close its 79 stores across western Canada for more than a week.
See Also: New OnDemand | People-Centric Security for the Public Sector
Ransomware-as-a-service group LockBit this week threatened to release data stolen in the attack unless London Drugs pays the ransom by Thursday. The cybercrime gang complained that so far, London Drugs is “only willing” to pay $8 million of the demand, according to a screenshot of the LockBit leak site taken Tuesday. As of Wednesday, a listing for London Drugs does not appear on the LockBit site.
“Someone help the poor pharma raise another 17 million dollars and the stolen data will not be released after 48 hours,” LockBit taunted London Drugs.
London Drugs operates 79 stores across Alberta, Saskatchewan, Manitoba and British Columbia and employ more than 8,000 staff. The company in a statement to Information Security Media Group on Wednesday said that through its ongoing investigation into the incident, “we are now aware that London Drugs has been identified by cybercriminals on the dark web as a victim of exfiltration of files from its corporate head office, some of which may contain employee information.”
The Richmond, British Columbia-based chain added that it “is unwilling and unable” to pay ransom to the cybercriminals.
“We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the dark web,” the statement said.
London Drug said that to date, it has no indication of any compromise of patient or customer databases, and that the company’s “primary employee specific databases” also do not appear to have been compromised.
The firm said it has “proactively notified” all current employees and provided 24 months of credit monitoring and identity theft protection services.
London Drug did not respond to ISMG’s request for additional details, including comment on LockBit’s claims that the chain had been “willing” to pay an $8 million ransom.
“It shouldn’t be assumed that London Drugs ever intended to pay the ransom,” said Brett Callow, a threat analyst at security firm Emsisoft.
“Even if the company did make an offer of $8 million – which we only have the word of an untrustworthy bad faith actor for – it could have simply been a stalling tactic to buy time and slow the release of any data.”
As of Wednesday, dark web monitoring firm DarkFeed.io counted 2,759 total LockBit victims to date. U.S. law enforcement agencies earlier this month publicly identified the leader of the ransomware gang “LockBitSupp” as 31-year-old Russian national Dmitry Yuryevich Khoroshev (see: LockBitSupp’s Identity Revealed: Dmitry Yuryevich Khoroshev).
Attack Details
London Drug said it discovered on April 28 that it was the victim of a cybersecurity criminal attack.
The pharmacy retail chain notified law enforcement and government privacy commissioners, “and have been in ongoing communications with them” London Drugs said.
London Drugs temporarily closed all its stores shortly after discovering the incident, which also affected its phone systems. The company gradually started to reopen some of its stores on May 4, with the last of the locations reopened over the May 10 weekend. As of Wednesday, not all store pharmacy locations were offering full prescription filling services as some are still undergoing “final security checks.”
“Our pharmacy staff are working hard to fulfill your prescription requests. We are working on a backlog of prescriptions due to the recent store/pharmacy closures,” London Drugs said in a notice posted on its website.
In a letter to London Drugs’ customer posted on the company’s website on May 8, Clint Mahlman, the company’s president and chief operating officer apologized for the inconveniences caused by the temporarily closure of its stores as the firm responded to the cyber incident.
“We have security measures in place and engage expert outside specialists to ensure the security of our systems while maintaining accessibility for our customers,” Mahlman said.
“Our practices are regularly reviewed by independent auditors to uphold our commitment to privacy and security, he said. “No organization can be 100% safe from advanced cybersecurity incidents orchestrated by sophisticated third parties.”