Note

 

This trend report on the deep web and dark web of May 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues

 

1.    Ransomware

 

(1)            LockBit

LockBit ransomware gang’s attack against London Drugs was revealed after a month. London Drugs is a retail pharmacy chain whose headquarters is based in Canada, established in 1945. Besides medical products, it now offers various products such as electronics, cosmetics, and food. It operates over 79 stores across various Canadian states including British Columbia, Alberta, Manitoba, and Saskatchewan with about 9,000 employees. 

At noon on Sunday, April 28th, 2024, London Drugs announced through social media that all of its 79 stores across the western part of Canada were closed due to operational issues. The next day, it stated that the stores were closed as a preventive measure for a cybersecurity issue. The company added that it immediately took a response measure upon discovering the issue and employed security experts for investigation. All services of the stores excluding emergency drugstore service were halted as a result, with employees temporarily being stationed in all London Drugs stores to assist with the emergency service. London Drugs initially stated that it had no evidence of customer or employee data being affected. After 3 days, however, the company announced that it was investigating the extent of data damage and would notify individuals if their personal information was affected.

Figure 1. A post on the operational issue announced on the London Drugs social media

While all 79 stores resumed operation[1] starting on May 7th, the website was still unavailable due to an internal error. On May 18th, the COO of the company and president Clint Mahlman admitted that the sensitive data of employees was leaked in an announcement. London Drugs stated that it is currently offering free credit monitoring services and identity theft protection for 24 months as preventive measures.

Figure 2. A post by London Drugs stating the resumption of operations
 

On May 21st, a month after the incident, a post by the LockBit ransomware gang stated that it attacked London Drugs, demanding 25 million US dollars for the ransom. The gang said it would release the data if the ransom is not paid within 48 hours, listing London Drugs as a victim on its dedicated leak site (DLS). However, the company was de-listed from the victim list on May 22nd. This change was either done by the victim paying the ransom or entering negotiations with the gang. Yet as London Drugs affirmed it will not pay the ransom, the company is unlikely to have entered a negotiation with the ransomware gang, meaning it is not sure why the company was removed from LockBit’s DLS.

 

---

[1] https://www.londondrugs.com/store-reopening-details.html