The City of Hamilton experienced one of Ontario's most disruptive ransomware attacks in February 2024, with threat actors deploying ransomware across multiple municipal systems. The attack crippled essential services including public transit, recreation facilities, and public health operations for several weeks, affecting hundreds of thousands of residents and demonstrating the vulnerability of municipal infrastructure to sophisticated cyber threats.
What Happened
On February 8, 2024, City of Hamilton IT personnel discovered ransomware had been deployed across critical municipal systems. The attack appears to have originated from compromised credentials obtained through a phishing email sent to a municipal employee approximately two weeks earlier. Threat actors maintained persistent access to the city's network for an extended period before deploying ransomware, allowing them to thoroughly map critical systems and maximise the impact of their encryption attack.
The ransomware variant deployed was LockBit 3.0, a particularly sophisticated ransomware family known for combining strong encryption with data exfiltration capabilities. Threat actors encrypted files across multiple municipal servers and issued demands for payment, threatening to publish exfiltrated data on dark web forums if the ransom was not paid.
Scope and Impact
The ransomware attack affected multiple critical city systems:
- HSR transit system booking and payment systems, affecting public transportation
- Recreation and facilities management systems, forcing closure of community centres and pools
- Public health and emergency services systems, partially disrupting healthcare coordination
- Business licensing and permitting systems, affecting municipal services to residents and businesses
- Financial and accounting systems, complicating municipal operations and payroll processing
- Water treatment and utility management systems (backup systems maintained partial functionality)
Approximately 500 municipal servers were encrypted by the ransomware, representing a massive operational disruption. The city was forced to activate emergency response protocols and manually manage critical services. Communication to residents became challenging as email systems and public information services were partially offline.
Public Impact
Hamilton residents experienced significant disruption to municipal services. HSR transit service was reduced to manual ticketing for several days before partial systems restoration. Recreation facilities remained closed for over a week, affecting sports programmes, fitness activities, and community events. Residents attempting to conduct business with the city faced lengthy delays as staff worked with paper-based systems and manual processes.
The attack also raised concerns about sensitive personal data. The city recognised that resident information, including names, addresses, phone numbers, and potentially some financial information, may have been accessed and exfiltrated by threat actors before encryption occurred.
City of Hamilton's Response
The city implemented a comprehensive incident response approach:
- Engaged external cybersecurity firms and forensic investigators to assess the attack and guide recovery
- Isolated affected systems to prevent further ransomware spread
- Notified Ontario Cyber Security Authority and law enforcement of the incident
- Worked systematically through recovery procedures, prioritising critical services
- Provided regular public updates about service restoration progress
- Did not pay the ransom demand, instead focusing on system restoration from backups
- Implemented enhanced security controls including improved access management and monitoring
Lessons Learned
The City of Hamilton ransomware attack provides critical lessons for Canadian municipalities and government organisations. First, the initial infection vector was remarkably simple: a phishing email that a single employee clicked. This underscores the necessity of comprehensive security awareness training and technical email security controls that can prevent phishing messages from reaching employee inboxes.
Second, the two-week dwell time before ransomware deployment demonstrates the importance of continuous network monitoring and threat detection. Organisations must implement systems capable of detecting suspicious activity patterns, unusual access patterns, and lateral movement attempts by threat actors before major attacks are launched.
Third, the attack illustrates the critical importance of maintained, tested backups. The city's ability to recover most systems was directly attributable to having offline backup systems available. Many organisations that pay ransoms could have recovered through better backup and disaster recovery planning.
How CyberSafe Can Help
CyberSafe's Cyber Defense Services help municipalities implement defence-in-depth strategies including advanced email security, network segmentation, and continuous monitoring. Our Managed Security Services provide 24/7 threat detection and incident response capabilities. We also offer Ransomware Preparedness Consulting to help organisations develop resilience strategies including backup verification, recovery planning, and incident response procedures.