Toronto School Board Hit by LockBit Ransomware, 96GB Data Stolen

Incident Date:

August 30, 2024

World map

Overview

Title

Toronto School Board Hit by LockBit Ransomware, 96GB Data Stolen

Victim

Toronto District School Board

Attacker

Lockbit3

Location

Scarborough, Canada

, Canada

First Reported

August 30, 2024

LockBit Ransomware Attack on Toronto District School Board

In June 2024, the Toronto District School Board (TDSB) experienced a significant ransomware attack orchestrated by the notorious LockBit3 group. This incident resulted in the exfiltration of approximately 96 GB of sensitive student data. The breach occurred within a separate technology testing environment, compromising critical information such as student names, school details, grades, TDSB email addresses, student numbers, and dates of birth for students from the 2023/2024 school year.

About the Toronto District School Board

The TDSB is the largest school board in Canada and the fourth largest in North America, serving over 255,000 students across approximately 600 schools, including 473 elementary schools, 110 secondary schools, and five adult education facilities. Established on January 1, 1998, the TDSB is known for its commitment to multicultural education and inclusivity, representing more than 200 nationalities and 75 languages. The board operates with a substantial budget of approximately CA$3.4 billion for the 2022-2023 school year, which is allocated towards educational programs, staff salaries, and infrastructure maintenance.

Details of the Attack

The ransomware attack by LockBit3 targeted a separate technology testing environment within the TDSB, leaving the board's official networks unaffected. LockBit3 claimed responsibility for the breach and threatened to release the stolen data unless a ransom was paid within 13 days. Despite the threat, TDSB and its external cybersecurity experts assessed the risk as low, noting no evidence of the data being publicly disclosed on the dark web. In response, TDSB swiftly secured its systems, disconnected the affected testing environment, and implemented enhanced security measures. The incident has been reported to law enforcement and the Office of the Information and Privacy Commissioner of Ontario, and an ongoing investigation is underway.

About LockBit Ransomware Group

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. LockBit employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network.

Penetration and Vulnerabilities

LockBit's ability to penetrate the TDSB's systems likely stemmed from exploiting vulnerabilities within the separate technology testing environment. The ransomware group is known for its modular design, which encrypts its payload until execution to hinder malware analysis and detection. Additionally, LockBit performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. The attack underscores the importance of stringent cybersecurity measures, particularly in environments handling sensitive data.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.