The city has confirmed that it fell victim to the Clop ransomware group's attack. As of late, the threat actors have been having been engaging in a hacking spree, claiming that it stole data from more than 130 victims.
City of Toronto Cyber Attack
The attacks perpetrated by the hacker group are through its GoAnywhere file transfer vulnerability. Although it is unclear how much Clop demands regarding ransom or if the City of Toronto is willing to comply, it's already been listed on the hackers' website.
The data leak site indicates that the stolen information is "coming soon," along with other information like the victim's headquarters address, phone number, website, and revenue, which totaled $11.3 billion, as shown in Bleeping Computer.
It was confirmed by the City of Toronto that the hackers gained unauthorized access of City data through a third-party vendor, which the City was made aware of on March 20th, according to a spokesperson for the City.
The spokesperson also stated that the data stolen was limited to files that weren't processed through the third-party secure file transfer system, and the City government is currently investigating the files that the threat actors were able to access.
They added that they are committed to protecting the privacy and security of the citizens of Toronto, and claim to "successfully ward off cyber attacks on a daily basis." Unfortunately, the Clop ransomware group still managed to execute the vulnerable version of Fortra.
Also known as the GoAnywhere, the program from Fortra is a vulnerability that has been exploited as a zero-day which prompted its customers to patch their systems, reports say. This led to more than 130 data breaches in the span of ten days which continues to grow.
Clop Ransomware
Like most ransomware groups, Clop executes its attack by encrypting the files of its victims and demanding a ransom to keep them from exposing the stolen data. The hacker group became known in 2019 after being determined as a legitimate threat to organizations and businesses.
Its victims range from multinational energy companies to universities in the United States, wherein the hacker group has already acquired $500 million in ransom payments, which will continue to grow along with its list of victims.
The ransomware group is said to be able to take down Windows Defender Microsoft Security Essentials as a part infiltration process. This in turn will help the threat actors enter the system much faster to steal the victim's data.
Some of its target data include data backups, vouchers, email lists, financial records, or any form of confidential or private information. They would leak some of the stolen information to prove that they managed to steal them, according to Mimecast.
The hacker group usually attempts to enter systems through phishing campaigns, wherein they use malicious links under the guise of legitimate emails or software updates. It is through the malicious links that the malware will enter the system.
It's almost impossible to decrypt the stolen and encrypted files once the hacker group gets a hold of them, and may only be accessible one the ransom is paid and a decryption key is provided by the threat actors.