Fraud Management & Cybercrime , Healthcare , Industry Specific

LockBit Demands $25M Ransom From Canadian Drug Store Chain

Threatens to Leak Stolen Data; Attack Temporarily Shut Down Retail Pharmacy Stores
LockBit Demands $25M Ransom From Canadian Drug Store Chain
Image: London Drugs

Russian-speaking cybercriminals demanded a $25 million ransom from Canadian pharmacy retail chain London Drugs following an attack detected in late April that forced the company to temporarily close its 79 stores across western Canada for more than a week.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Ransomware-as-a-service group LockBit this week threatened to release data stolen in the attack unless London Drugs pays the ransom by Thursday. The cybercrime gang complained that so far, London Drugs is "only willing" to pay $8 million of the demand, according to a screenshot of the LockBit leak site taken Tuesday. As of Wednesday, the listing for London Drugs did not appear on the LockBit site, but by Thursday morning the listing for the pharmacy chain was back up on the gang's website.*

"Someone help the poor pharma raise another 17 million dollars and the stolen data will not be released after 48 hours," LockBit taunted London Drugs.

London Drugs operates 79 stores across Alberta, Saskatchewan, Manitoba and British Columbia and employs more than 8,000 staff. The company, in a statement to Information Security Media Group on Wednesday, said that through its ongoing investigation into the incident, "we are now aware that London Drugs has been identified by cybercriminals on the dark web as a victim of exfiltration of files from its corporate head office, some of which may contain employee information."

The Richmond, British Columbia-based chain added that it "is unwilling and unable" to pay ransom to the cybercriminals.

"We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the dark web," the statement says.

London Drug said that to date, it has no indication of any compromise of patient or customer databases, and that the company's "primary employee specific databases" do not appear to have been compromised.

The firm said it has "proactively notified" all current employees and provided 24 months of credit monitoring and identity theft protection services.

London Drug did not respond to ISMG's request for additional details, including comment on LockBit's claims that the chain had been "willing" to pay an $8 million ransom.

"It shouldn't be assumed that London Drugs ever intended to pay the ransom," said Brett Callow, a threat analyst at security firm Emsisoft.

"Even if the company did make an offer of $8 million - which we only have the word of an untrustworthy bad faith actor for - it could have simply been a stalling tactic to buy time and slow the release of any data."

As of Wednesday, dark web monitoring firm counted 2,759 total LockBit victims to date. U.S. law enforcement agencies earlier this month publicly identified the leader of the ransomware gang "LockBitSupp" as 31-year-old Russian national Dmitry Yuryevich Khoroshev (see: LockBitSupp's Identity Revealed: Dmitry Yuryevich Khoroshev).

Attack Details

London Drug said it discovered on April 28 that it was the victim of a cybersecurity criminal attack.

The pharmacy retail chain notified law enforcement and government privacy commissioners, "and have been in ongoing communications with them" London Drugs said.

London Drugs temporarily closed all its stores shortly after discovering the incident, which also affected its phone systems. The company gradually started to reopen some of its stores on May 4, and the last of the locations reopened over the May 11-12 weekend. As of Wednesday, not all store pharmacy locations were offering full prescription filling services as some are still undergoing "final security checks."

"Our pharmacy staff are working hard to fulfill your prescription requests. We are working on a backlog of prescriptions due to the recent store/pharmacy closures," London Drugs said in a notice posted on its website.

In a letter to London Drugs' customers posted on the company's website on May 8, Clint Mahlman, the company's president and chief operating officer, apologized for the inconveniences caused by the temporary closure of its stores as the firm responded to the cyber incident.

"We have security measures in place and engage expert outside specialists to ensure the security of our systems while maintaining accessibility for our customers," Mahlman said.

"Our practices are regularly reviewed by independent auditors to uphold our commitment to privacy and security, he said. "No organization can be 100% safe from advanced cybersecurity incidents orchestrated by sophisticated third parties."

*Update: May 23, 2024 16:28 UTC to indicate that London Drugs was listed again on the LockBit site.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.