Cyber Incident Victim: Resort Municipality of Whistler
Date:
Apr 2021
Location:
Canada
Summary
The Resort Municipality of Whistler, a Canadian destination with significant tourism activity, experienced a ransomware attack disrupting its network, website, email, and phone systems, forcing suspension of online services and select in-person operations. Attackers compromised the municipal website to display a dark web negotiation link, indicating data theft alongside encryption, with the ransomware group later claiming possession of approximately 800 GB of sensitive information—including personal details, emails, and internal documents—threatening an auction if unpaid. The municipality engaged cybersecurity professionals and law enforcement while advising the public to exercise caution regarding communications purportedly originating from its compromised systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 28, 2021, the Resort Municipality of Whistler (RMOW), a resort community in British Columbia, Canada, experienced a ransomware attack that disrupted municipal operations. The attack forced RMOW to proactively shut down its network, website, email systems, and phone services to contain the incident. This led to the suspension of all online municipal activities and certain in-person services, including operations at the municipal hall. The Whistler.ca website was compromised during the attack, displaying a message that the site was "under construction" and directing visitors to contact support via a Tor dark web URL provided by the attackers. This URL linked to a dark web chat platform used by the ransomware operators to negotiate ransom payments and threaten the release of stolen data. The attackers claimed to have encrypted RMOW's network and exfiltrated unencrypted files during the breach, a tactic consistent with modern ransomware operations. The municipality confirmed the incident publicly on April 28, apologizing for service disruptions and promising updates as systems were restored.
RMOW engaged cybersecurity experts and the Royal Canadian Mounted Police (RCMP) to investigate the attack and mitigate its effects. The municipality issued a public advisory urging vigilance against suspicious communications purporting to originate from RMOW, emphasizing that it does not request private personal information via phone or email. On April 30, 2021, the ransomware group escalated its threats by claiming possession of approximately 800 GB of stolen data, including personal information such as names and addresses, SQL databases, email archives, passwords, network schematics, and private documents. The attackers announced plans to auction this data on the dark web within seven days if a ransom was not paid, describing the data as "yum yum" to potential buyers. RMOW did not publicly disclose whether negotiations occurred or if any ransom was paid. Service restoration timelines and specific technical details about the ransomware variant or initial attack vector were not provided in available communications.