LockBit claims breach on Canada’s largest school board: Is the group back with a vengeance?
LockBit has claimed responsibility for a breach on the Toronto District School Board (TDSB), as well as a series of other unconfirmed incidents, after a period of ostensible inactivity.
TDSB is the largest school board in Canada with a catchment comprising over 580 schools and around 235,000 students. The initial intrusion occurred on June 12 2024, when TDSB discovered an unauthorized third party had gained access to its technology test environment.
An update released on 29 August described the affected system as a “separate environment” used by TSDB’s IT teams to test programs before deploying them on the organization’s network
TSDB confirmed that the test environment contained information linked to an undisclosed number of students from the 2023/24 school year, which could include their name, school name, grade, TDSB email address, TDSB student number, and date of birth.
The board stated its internal security staff and external teams were working to remediate the incident, adding current reports indicate the risk to students remains low.
“We want to emphasize that, at this time, our cyber security teams and external security partners have advised that the risk to our students in connection with this cyber incident is low and that they have not seen any public disclosure of student data as part of their investigations, which includes monitoring of the dark web and other online locations.”
Security experts not convinced of LockBit’s return from the ashes
Lockbit posted TDSB, as well as a series of other alleged victims, on its leak site on 29 August in what appears to be a bid to reinstate itself as an active and leading member of the ransomware industry.
The collective, which ran rampant encrypting and exfiltrating data from high-profile targets around the world in recent years, had its extortion activities curtailed significantly after a number of law enforcement engagements targeting senior figures of the operation.
Two alleged members of the group, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, both holding Russian citizenship, were convicted in a US federal court for their roles participating in LockBit ransomware attacks.
Moreover, the alleged ringleader of the collective, Dmitry Khoroshev, had his identity revealed during a campaign led by the UK’s National Crime Agency (NCA) aimed at disrupting the group’s operations in May this year.
The NCA and partnered agencies from the US offered a $10 million bounty on any information that could lead to his arrest.
This latest flurry of activity could be an attempt to reclaim its status as a potent ransomware threat in light of its recent dormancy.
Reacting to the new listings, security analyst Dominic Alvieri announced the LockBit group was active once more, but some commentators have cast doubt on some of the unconfirmed attacks.
A number of the listings are claimed to contain false information or naming victims that don’t exist. For example, one listing for inces[.]com was added on 29 August, but the company that owned the domain was dissolved in 2023.
Allan Liska, part of Recorded Future’s computer security incident response team (CSIRT), suggested these inconsistencies were a sign the group may be struggling to maintain their operations.
He said the group’s recent activity demonstrated it is “increasingly desperate for attention and have to resort to making up fake victims”.