Library refused to pay ransomware group with links to Russia and record of big payouts

Canada’s largest-circulation library system is mired in a reduction of service projected to last months after being hit with a demand for tens of millions of dollars from an aggressive new ransomware outfit with a track record for securing big payouts.

The Toronto Public Library has refused to pay the group Black Basta, which targeted its data centre in late October, encrypting information and stealing personal details about employees. Library services have been limited through the crucial end of the school term period and holidays, and officials say it will take into the new year to get the system functioning normally again.

In the meantime, the library has reverted to preinternet methods. Staff are checking out materials by hand. Anything returned can’t be logged back into the system and has been taken out of circulation – about one million items so far filling 10 tractor trailers. In-library public computers are shut down and interbranch book transfer requests are not possible.

The attack happened less than a year after the Toronto library acknowledged its cybervulnerability. Many libraries face what Calgary Public Library spokeswoman Mary Kapusta described as an increase in hostile activity from hackers. Although unwilling to be specific about countertactics, she said her institution had increased funding for training and cyberprotection.

The Toronto library itself has been tight-lipped about the hack. It has issued a few statements but head librarian Vickery Bowles would not talk about the specifics of the attack or who was believed responsible.

“I’ve been advised by our cybersecurity experts and by legal counsel that I should not talk about the threat actor,” she said.

However, two people with direct knowledge of the situation revealed the scale of the ransom demand and also that the perpetrators were Black Basta. The Russia-linked criminal enterprise, dubbed Ransomware-as-a-service, emerged in 2022 and is known to have hit hundreds of targets.

The Globe and Mail is not naming the sources as they were not authorized to speak on the matter publicly. Toronto Police Service confirmed it is investigating but would offer no further information.

There has been a wave of cyberattacks on unconventional targets such as water utilities, courts and hospitals across North America.

“We’re seeing the public sector, in general, being more of a target,” said Sami Khoury, head of the Canadian Centre for Cyber Security, an arm of the Communications Security Establishment.

“The threat landscape is getting more sophisticated … things are shifting. What used to be nation-state [capability] last year might be a cyber-criminal capability today.”

Based on data of known incidents, the cybersecurity centre said Black Basta was in the top five of ransomware threats in Canada last year.

However, it’s unclear why Black Basta went after Toronto’s library. Municipal coffers in Canada are generally sparse and cyberanalysts with the U.S. government say these particular hackers are known for choosing specific targets, as opposed to making a deluge of attacks in the hopes that something sticks.

This approach has worked for the hacker group. According to an investigation of crypto-currency data by Corvus Insurance and Elliptic, a blockchain analytics firm, an estimated US$107-million has been paid to Black Basta since its emergence last year. The firm’s analysis found the average ransom payment was US$1.2-million and the biggest US$9-million.

In Toronto, the hackers stole personal information, including addresses and social insurance numbers of library employees and staff at its foundation, which raises money for the library. However, a search of recent material at Black Basta’s data-leak site on the deep web suggests this has not been released.

While data about the Toronto library’s approximately 1.1 million card holders are not believed to have been compromised, patrons have been unable to use the library’s online services since late October.

Library materials cannot be ordered from another branch. Users also cannot search online to determine in which branch they might locate what they’re seeking. However, e-books remain available for download.

Library services have been reduced at a difficult time, as Toronto students prepare for exams and work on term papers. According to library data, 61 per cent of people using its technology report having no other access to technology. And low-income families will not be able to take advantage over the holidays of an arrangement that allows access to museums and other cultural attractions with a library card.

Toronto’s library system dates to an 1883 referendum in which residents backed a free library. It now has 100 branches and more than 12 million items. It is the biggest library system in the country and among the global leaders of public libraries when ranked by circulation per capita. This year its operating budget was $235million, largely funded by the city.

That such a major and comparatively well-resourced library system could fall victim to an attack has raised alarms among its peers. Also heightening fears was the recent attack on the British Library, one of the largest in the world, which was attacked by the hacker group Rhysida. The library says it could be months before there’s a full resumption of service.

In the case of Toronto, the sources said the library has not identified how hackers got access. However, it had earlier recognized its own weak security.

Although the library had safeguards such as training and antiphishing campaigns, it reported in March to its board that it was falling short in areas such as secure passwords, administrativeaccount management and network-access management.

“TPL is at a developing level of maturity for the IT security program,” the report stated. “The focus for the last year has been to assess the current state, close quick-win gaps, and continue reporting on security operations.”

Ms. Bowles said progress had been made on computer security, but that the reality was the library was operating in a world of sophisticated cybercriminals.

One source connected with the Toronto library said there had been hopes initially that the hackers would have second thoughts about their choice of target and unlock the data out of pity.

That hope died as the weeks turned into months. The latest estimate from the library is that service won’t begin to come back on-stream until January.