Cyber Incident Victim: Town of St. Marys
Date:
Jul 2022
Location:
Canada
Summary
The Town of St. Marys experienced a ransomware attack by the LockBit gang, which breached internal servers and encrypted municipal data. Critical services including fire, police, transit, and water systems remained operational despite the incident. LockBit issued a ransom demand with a threat to publish stolen data if unpaid, listing the town on its dark web leak site. Local officials collaborated with cybersecurity experts and legal counsel to address the breach, while public-facing systems displayed notifications about the ongoing investigation. This incident exemplifies LockBit's prominence as a leading ransomware operator, responsible for a significant portion of global extortion attacks during that period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 20, 2022, the LockBit ransomware gang breached the internal servers of St. Marys, a small town in southwestern Ontario, Canada, encrypting stored data and disrupting municipal operations. The attackers listed St. Marys on their dark web victim site, issuing a ransom demand with a deadline for payment and threatening to publish stolen data if unpaid. Town officials confirmed the incident publicly, noting their website displayed a notice about the cybersecurity investigation while internal systems remained locked. Mayor Al Strathdee stated a collaborative response team—comprising town staff, cybersecurity experts, and legal counsel—was working continuously to resolve issues stemming from the attack. Critical infrastructure services including fire, police, public transit, and water/wastewater systems maintained normal operations throughout the incident. The attack exclusively affected internal servers and data storage systems, with no evidence of lateral movement into operational technology controlling essential services. LockBit’s public extortion tactic followed its established pattern of pressuring victims through data-leak threats.
LockBit maintained its position as the most active ransomware group during Q2 2022, accounting for 33% of all attacks involving data-leak site postings according to Digital Shadows’ research. The group claimed 231 victims during this period—more than triple the count of second-place Conti ransomware (70 victims)—demonstrating its operational scale despite industry attrition affecting competitors like REvil and Darkside. Having operated since 2019, LockBit survived longer than many rival groups while evolving through multiple malware generations. The attack on St. Marys occurred amid a broader 21% quarterly increase in ransomware incidents, with 705 total victims publicly listed across all groups in Q2 2022. Digital Shadows analysts projected further escalation in attack frequency through 2022. LockBit’s targeting of a small municipality underscored its opportunistic approach, exploiting potentially weaker defenses in smaller government entities while maintaining attacks on larger organizations.