London Drugs waiting on LockBit’s next move after ransomware attack

As of the afternoon of May 23, the situation with Canada-based London Drugs remained unclear as LockBit reportedly posted on its dark web site that it would start releasing stolen data if a $25 million ransom was not paid by Thursday.

After initially reporting that no customer or employee data were impacted by the late April cybersecurity incident that led to the closing of nearly 80 stores, London Drugs acknowledged on May 18 that corporate head office files — some of which may have included employee details — were compromised.

While London Drugs continued to maintain it was not going to pay the ransom, on May 22 LockBit reportedly removed London Drugs from its dark web site. Precisely what that meant was still unclear to security pros. It could mean a ransom was paid, but it could also mean negotiations had broken off.

“Even though London Drugs presently ‘believes’ no information of value was stolen, the $25 million ransom demand is completely out of proportion with that statement,” said John Gunn, chief executive officer at Token. “So, a reasonable conclusion would be that London Drugs may have suffered a bigger breach than they realize. The cybercriminals could easily provide proof of this, but they have not yet.”

Gunn added that like any negotiation, neither side may be completely forthright, and cybercriminals are notorious liars, which makes it nearly impossible to draw any reliable conclusions from the gamesmanship going on.

“The $25 million demand could also simply be LockBit trying to raise the floor for the starting point of negotiations with the next victim," said Gunn.

LockBit defiant after taken down by authorities?

Anne Cutler, cybersecurity expert with Keeper Security, added that despite significant measures by global authorities to combat LockBit recently, this latest move suggests defiance from the ransomware group and could be a play to reinforce its reputation and intimidate potential victims.

“The healthcare sector is particularly vulnerable — and highly targeted — as the stakes are higher when the health of patients is at stake,” said Cutler.

Keep in mind that law enforcement has been very aggressive of late cracking down on LockBit. The U.S. Justice Department on May 7 unsealed charges against Russian national Dimitry Yuryevich Khoroshev for his alleged role as the creator, developer and administrator of LockBit.

Earlier this year, a taskforce of 17 agencies including the FBI, the UK’s National Crime Agency (NCA), and Europol took control of key LockBit infrastructure including numerous dark web websites.