LockBit Ransomware Attack on Toronto District School Board

In June 2024, the Toronto District School Board (TDSB) experienced a significant ransomware attack orchestrated by the notorious LockBit3 group. This incident resulted in the exfiltration of approximately 96 GB of sensitive student data. The breach occurred within a separate technology testing environment, compromising critical information such as student names, school details, grades, TDSB email addresses, student numbers, and dates of birth for students from the 2023/2024 school year.

About the Toronto District School Board

The TDSB is the largest school board in Canada and the fourth largest in North America, serving over 255,000 students across approximately 600 schools, including 473 elementary schools, 110 secondary schools, and five adult education facilities. Established on January 1, 1998, the TDSB is known for its commitment to multicultural education and inclusivity, representing more than 200 nationalities and 75 languages. The board operates with a substantial budget of approximately CA$3.4 billion for the 2022-2023 school year, which is allocated towards educational programs, staff salaries, and infrastructure maintenance.

Details of the Attack

The ransomware attack by LockBit3 targeted a separate technology testing environment within the TDSB, leaving the board's official networks unaffected. LockBit3 claimed responsibility for the breach and threatened to release the stolen data unless a ransom was paid within 13 days. Despite the threat, TDSB and its external cybersecurity experts assessed the risk as low, noting no evidence of the data being publicly disclosed on the dark web. In response, TDSB swiftly secured its systems, disconnected the affected testing environment, and implemented enhanced security measures. The incident has been reported to law enforcement and the Office of the Information and Privacy Commissioner of Ontario, and an ongoing investigation is underway.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.

Penetration and Vulnerabilities

LockBit's ability to penetrate the TDSB's systems likely stemmed from exploiting vulnerabilities within the separate technology testing environment. The ransomware group is known for its modular design, which encrypts its payload until execution to hinder malware analysis and detection. Additionally, LockBit performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. The attack underscores the importance of stringent cybersecurity measures, particularly in environments handling sensitive data.

Sources

• Toronto District School Board
• Toronto District School Board - Wikipedia
• SOCRadar - Dark Web Profile: LockBit 3.0 Ransomware
• Cyber.gov.au - Ransomware Profile: LockBit 3.0