{ "id": "036dbdaf-ee47-428f-882c-e273181b2ee9", "created_at": "2026-04-06T00:07:23.090738Z", "updated_at": "2026-04-12T02:21:01.567398Z", "deleted_at": null, "sha1_hash": "8291f9ff844473d03ff400c0e668d924334e7e56", "title": "LockBit says they stole data in London Drugs ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5358010, "plain_text": "LockBit says they stole data in London Drugs ransomware attack\r\nBy Sergiu Gatlan\r\nPublished: 2024-05-21 · Archived: 2026-04-05 22:20:02 UTC\r\nToday, the LockBit ransomware gang claimed they were behind the April cyberattack on Canadian pharmacy chain London\r\nDrugs and is now threatening to publish stolen data online after allegedly failed negotiations.\r\nLondon Drugs has over 9,000 employees who provide healthcare and pharmacy services in over 80 stores across Alberta,\r\nSaskatchewan, Manitoba, and British Columbia.\r\nAn April 28 cyberattack forced London Drugs to close all its retail stores across Western Canada. The company said it found\r\nno evidence that customer or employee data was impacted.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Should our investigation indicate any personal information has been compromised, we would notify those impacted and\r\napplicable privacy commissioners in accordance with applicable privacy laws,\" the pharmacy chain said at the time.\r\nOn May 9, London Drugs' President and Chief Operating Officer (COO) Clint Mahlman confirmed again that third-party\r\ncybersecurity experts hired to conduct a forensic investigation found no evidence that \"customer databases, including our\r\nhealth data and LDExtras data,\" were compromised.\r\nWhile London Drugs has since re-opened all shutdown stores, the company's website is still down and displaying an error\r\nstating, \"The server encountered an internal error that prevented it from fulfilling this request.\"\r\nEarlier today, the LockBit ransomware operation added London Drugs to its extortion portal, claiming the April cyberattack\r\nand threatening to publish data allegedly stolen from the company's systems.\r\nLondon Drugs listed on LockBit's extortion website (BleepingComputer)\r\nThe ransomware gang has yet to provide proof that they stole any files from London Drugs servers, claiming only that\r\nnegotiations with London Drugs to pay a $25 million ransom have failed.\r\nWhile it didn't confirm LockBit's claims, a London Drugs statement shared with BleepingComputer says the company\r\nis aware the ransomware gang said they stole \"files from its corporate head office, some of which may contain employee\r\ninformation\"—as seen in the screenshot above LockBit only mentioned \"stolen data.\"\r\nLondon Drugs added that they will not and cannot pay the ransom requested by LockBit, but acknowledged that the gang\r\n\"may leak stolen London Drugs corporate files, some of which may contain employee information on the Dark Web.\"\r\n\"At this stage in our investigation, we are not able to provide specifics on the nature or extent of employee personal\r\ninformation potentially impacted. Our review is underway, but due to and the extent of system damage caused by this cyber\r\nincident, we expect this review will take some time to perform,\" London Drugs said.\r\n\"Out of an abundance of caution, we have proactively notified all current employees and provided 24 months of\r\ncomplimentary credit monitoring and identity theft protection services, regardless of whether any of their data is ultimately\r\nfound to be compromised or not.\"\r\nLockBit ransomware's rise and fall\r\nThis ransomware-as-a-service (RaaS) operation surfaced in September 2019 as ABCD and then rebranded as LockBit.\r\nSince its emergence, LockBit has claimed attacks against many government and high-profile organizations worldwide,\r\nincluding Boeing, the Continental automotive giant, the Italian Internal Revenue Service, Bank of America, and the UK\r\nRoyal Mail.\r\nLaw enforcement took down LockBit's infrastructure in February 2024 in an action known as Operation Cronos, seizing 34\r\nservers containing over 2,500 decryption keys that helped create a free LockBit 3.0 Black Ransomware decryptor.\r\nBased on the seized data, the U.S. DOJ and the U.K.'s National Crime Agency estimate that LockBit has extorted between\r\n$500 million and $1 billion after 7,000 attacks targeting organizations worldwide between June 2022 and February 2024.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nPage 3 of 5\n\nLockBit domain seizure (BleepingComputer)\r\nHowever, LockBit is still active and has moved to new servers and dark web domains. It keeps targeting victims around the\r\nworld and releasing massive amounts of old and new data in retaliation to the recent infrastructure takedown by U.S. and\r\nU.K. authorities.\r\nLockBit's claims that it was behind the London Drugs cyberattacks come after another international law enforcement\r\noperation doxxed and sanctioned the ransomware gang's leader as a 31-year-old Russian national named Dmitry Yuryevich\r\nKhoroshev, using the \"LockBitSupp\" online alias.\r\nThe U.S. State Department now offers a $10 million reward for information leading to LockBit leadership arrest or\r\nconviction and an additional $5 million for any tips that could lead to the apprehension of LockBit ransomware affiliates.\r\nPrevious charges and arrests of Lockbit ransomware actors include Mikhail Vasiliev (November 2022), Ruslan\r\nMagomedovich Astamirov (June 2023), Mikhail Pavlovich Matveev aka Wazawaka (May 2023), Artur Sungatov and Ivan\r\nGennadievich Kondratiev aka Bassterlord (February 2024).\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/\r\nPage 5 of 5\n\nservers containing Based on the seized over 2,500 decryption data, the U.S. keys that DOJ and the helped create U.K.'s National a free LockBit Crime Agency estimate 3.0 Black Ransomware that LockBit decryptor. has extorted between\n$500 million and $1 billion after 7,000 attacks targeting organizations worldwide between June 2022 and February 2024.\n Page 3 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-says-they-stole-data-in-london-drugs-ransomware-attack/" ], "report_names": [ "lockbit-says-they-stole-data-in-london-drugs-ransomware-attack" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-12T02:00:04.70216Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434043, "ts_updated_at": 1775960461, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8291f9ff844473d03ff400c0e668d924334e7e56.pdf", "text": "https://archive.orkl.eu/8291f9ff844473d03ff400c0e668d924334e7e56.txt", "img": "https://archive.orkl.eu/8291f9ff844473d03ff400c0e668d924334e7e56.jpg" } }