Skip to main content

Cybercriminals threaten to leak London Drugs data if it doesn't pay $25M ransom


Last month’s cyberattack on pharmacy and retail chain London Drugs that forced the closure of all its stores in Western Canada was orchestrated by a “sophisticated group of global cybercriminals” who are demanding a ransom—and say they’ll leak the company’s data if it doesn’t pay up.

In a statement to CTV News Tuesday, London Drugs said it has learned that it’s been “identified by cybercriminals on the dark web” as the victim of file theft from its corporate head office, and that some of those files may contain employee information.

The company said that to date it doesn’t appear that patient, customer or “primary employee” databases have actually been compromised, but the investigation into the cyberattack is ongoing.

In its statement, London Drugs did not name the criminal group behind the attack, but Brett Callow, a threat analyst at cybersecurity company Emsisoft identified it as LockBit, a prolific ransomware operation.

Callow told CTV News Emsisoft’s trackers found out about the ransom “fairly quickly” by pulling data off the dark web.

In a screenshot shared with CTV News, LockBit says it will release data it claims to have stolen from London Drugs in 48 hours if it does not pay $25 million. The post also claims that London Drugs has offered to pay $8 million.

London Drugs said it is “unwilling and unable to pay ransom to these cybercriminals.”

“We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the Dark Web. This is deeply distressing, and London Drugs is taking all available steps to mitigate any impacts from these criminal acts,” the statement continues.

London Drugs says it notified all current employees of the potential breach and offered 24 months of free credit monitoring and identity theft services, regardless of whether or not any of their data was ultimately stolen.

Callow said that London Drugs made “absolutely the right decision” by refusing to pay the ransom.

There’s no guarantee LockBit would delete the data if London Drugs capitulates, he explained, adding that law enforcement has previously found LockBit servers containing data from multiple companies that paid to have it erased.

“They are untrustworthy, bad-faith actors,” he said.

LockBit, through affiliates using its ransomware tools, has extorted $120 million from thousands of victims since 2019, which include airplane manufacturer Boeing, Britain’s National Health Service and China’s biggest bank, according to The Associated Press.

Its ransom demands range from the tens of thousands of dollars to tens of millions, Callow said.

He added that all London Drugs can do now is to support employees whose information may be compromised and hope law enforcement agencies take down LockBit.

Overall, cybercriminals collected $1.1 billion in ransom in 2023, according to crypto-tracing firm Chainalysis. “The bulk of that would have been paid by companies in the U.S. and Canada,” Callow said.

“Victims often claim that the attacks were sophisticated, but most ransomware attacks succeed because of fairly basic security failings, so there are absolutely things organizations can do to reduce the likelihood of becoming the next victim,” he said.

London Drugs said it would not give any interviews Tuesday. Top Stories

Stay Connected