The town of St. Marys, Ontario, Canada, has been investigating a security incident that locked its internal server and encrypted data.

The town’s IT systems were infected with LockBit ransomware on the 20th July. After officials became aware they took immediate measures, including shutting down the IT systems and limiting access to email to safeguard sensitive information. They also informed the Stratford Police Service and the Canadian Centre for Cyber Security.

St Marys has not paid the demanded ransom. It is working with cybersecurity experts to look into the source of the incident, restore backup data, and determine the extent of any damage.

Cybersecurity specialists are also supporting staff members as they attempt to unlock and decrypt the town’s systems: a process that could take many days.

The incident did not, however, disrupt the operation of essential municipal services such as fire, police, transport, and water/wastewater systems, which all continue to function as normal.

Municipal staff are carrying out their usual duties, and may be reached via phone, email, or in-person at town facilities.

“We have a skilled and knowledgeable team of town staff, cyber security experts and legal counsel working around the clock to resolve any issues related to this incident,” said Mayor Al Strathdee.

“I have full confidence in our team and want to assure the public that protecting their privacy is our top priority.”

According to The Verge, LockBit’s dark web page named the town’s website, townofstmarys.com, as a ransomware victim on 22nd July, previewing the files that had been taken and encrypted.

Images posted on the LockBit page show the Windows operating system’s file structure, which included folders relating to various municipal operations. They included health, finance, safety, sewage treatment, property files and public works.

The ransomware gang claimed to have taken 67 GB of data from St. Marys, including financial records.

The community was given until the afternoon of 30th July to pay, after which the information will be made public.

Strathdee acknowledged that the town had received a ransom demand from the LockBit ransomware group after systems were encrypted, although it had not yet paid anything.

While the Canadian government’s cybersecurity recommendations prohibited paying ransoms in general, Strathdee said the town will follow the incident team’s advice on how to proceed.

Recorded Future‘s analysis shows that the LockBit gang alone claimed responsibility for 50 ransomware events in June 2022, increasing its total number of victims to 903 and elevating it to the position of most prolific ransomware group globally.

St Marys is the second North American town LockBit has targeted, following Frederick, Colorado on the 14th July.

LockBit started offering ransomware-as-a-service in 2019, and recently surpassed Conti to become the most prolific ransomware gang in terms of the number of publicly-claimed victims.

The gang has conducted attacks against German library service Onleihe, a Foxconn plant, a Canadian fighter jet training facility, and the French mobile phone network La Poste Mobile.