The Toronto Public Library (TPL), which serves as the largest public library system in Canada, connecting residents to an extensive collection of 12 million books distributed across 100 branch libraries in the city, is currently grappling with an extended period of technical disruptions. This unfortunate situation has been instigated by a ransomware attack attributed to the Black Basta cybercriminal group.
In the wake of this incident, various digital services offered by TPL have been severely impacted. The tpl.ca website has been taken offline, making it inaccessible to patrons who rely on it for various library-related activities.
Additionally, users have reported difficulties in accessing their online accounts and experiencing disruptions in the tpl:map passes and digital collections services. Public computers and printing services have also been rendered unavailable, adding to the inconvenience.
Despite these service interruptions, the Toronto Public Library has assured the public that there is no evidence of personal information belonging to staff or library members being compromised during the cyberattack. The library is actively collaborating with law enforcement agencies and third-party cybersecurity experts to investigate and resolve the issue.
A temporary library website hosted on Typepad contains a notice stating, “TPL has proactively prepared for cybersecurity issues and promptly initiated measures to mitigate potential impacts.” The library has enlisted the assistance of cybersecurity experts and expects it may take several days before all systems are fully restored to normal operations.
While phone systems remain unaffected, email access has been limited to users already logged into their Office 365 accounts. However, employees who were not logged in at the time have lost access to their email accounts. As a precaution, all other internal systems have been temporarily shut down to prevent further malware spread.
Of note, the attack did not encrypt the organization’s main servers containing sensitive data. This suggests that the threat actors behind the Black Basta ransomware may not have gained full access to the library’s networks and data.
Nevertheless, it remains unclear whether any data was stolen during the attack, which could be used as part of the extortion strategy typically employed by ransomware gangs.
The Black Basta ransomware group emerged in April 2022 and quickly shifted its focus to corporate targets, utilizing double-extortion tactics. Their collaboration with the QBot malware operation allowed them to infiltrate networks and steal valuable credentials.
Once they gained access to a network, they systematically pilfered data and, upon reaching the Windows domain controller, deployed encryption to hold devices hostage. Notably, Black Basta, like many ransomware operations, leverages a Linux encryptor to target VMware ESXi virtual machines running on Linux servers.
In light of the ongoing threat from ransomware attacks, it is crucial for organizations to enhance their cybersecurity measures and deploy robust solutions to safeguard their data and systems. To prevent future incidents, it is imperative that all stakeholders remain vigilant, maintain up-to-date security protocols, and consider implementing cutting-edge cybersecurity solutions to protect against such attacks.