The City of Sault Ste. Marie made the difficult decision to pay a substantial ransom following a devastating ransomware attack in October 2024. The attack encrypted critical municipal systems and forced the northern Ontario city to choose between paying threat actors or continuing operations under severe constraints. The incident highlighted the difficult position municipalities face when infrastructure is compromised and public services are disrupted.
What Happened
On October 3, 2024, the City of Sault Ste. Marie discovered that ransomware had been deployed across critical municipal systems. Investigation revealed that threat actors had gained initial access through a compromised contractor VPN account that had been obtained through phishing. The compromise went undetected for approximately three weeks, allowing threat actors to establish persistent access, map critical systems, and prepare the ransomware deployment.
The threat actors deployed Royal ransomware, a sophisticated variant known for combining strong encryption with aggressive data exfiltration. The ransomware encrypted files across municipal servers whilst threat actors exfiltrated sensitive data. The threat actors contacted the city with ransom demands and a deadline, threatening to publish exfiltrated data containing sensitive resident information if payment was not received.
Scope of the Attack
The ransomware attack affected critical municipal systems including:
- Water and wastewater treatment facility management systems
- Tax assessment and municipal property records systems
- Utility billing and customer account systems
- Human resources and payroll processing systems
- Finance and accounting systems
- Building permits and development permit systems
- Email and document collaboration systems
Approximately 300 municipal servers were encrypted, representing a massive operational disruption. The city's water treatment systems operated under limited manual control, creating potential public health concerns. Residents were unable to pay utility bills online or access municipal services electronically. The city confirmed that resident personal information, including addresses, phone numbers, and some financial information, had been exfiltrated.
Ransom Decision and Payment
Faced with operational crisis and public service disruption, the city decided to negotiate with threat actors. After discussions with cybersecurity advisors and law enforcement, the city agreed to pay approximately CAD 2.8 million in cryptocurrency to obtain decryption keys. The payment allowed the city to begin recovering encrypted systems, though recovery efforts took several weeks to complete.
The city's decision to pay was controversial, with critics arguing it funded criminal activity and encouraged future attacks on other municipalities. However, city officials emphasised that continued disruption to water services, utility billing, and other critical functions posed unacceptable risks to public health and safety. The decision illustrated the difficult choices municipalities face when traditional recovery options are unavailable or insufficient.
Impact on Residents
Sault Ste. Marie residents experienced significant service disruptions. Water bills could not be paid online for several weeks, forcing residents to use alternative payment methods. Building permit applications were delayed as the permit system remained offline. Property tax assessments could not be accessed, creating confusion for residents attempting to appeal assessments. The incident demonstrated how municipal cyber incidents cascade to affect essential services that residents depend on.
City of Sault Ste. Marie's Response
Following the attack and ransom payment, the city implemented comprehensive response measures:
- Negotiated payment with threat actors and obtained decryption keys
- Systematically recovered encrypted systems using decryption tools provided by threat actors
- Notified residents about the breach and recommended protective actions for exposed personal information
- Offered complimentary identity theft protection to affected residents
- Conducted comprehensive forensic investigation with external cybersecurity firms
- Revoked all contractor and external access credentials
- Implemented mandatory multi-factor authentication for all remote access accounts
- Enhanced email security and phishing detection systems
Lessons Learned
The Sault Ste. Marie ransomware incident illustrates several critical lessons for Canadian municipalities. First, contractor access represents a significant attack vector that is often overlooked. Contractor accounts frequently have excessive privileges and weaker security controls than internal employee accounts. Municipalities must implement strict vendor access management with least-privilege principles.
Second, the incident demonstrates the necessity of comprehensive backup and disaster recovery capabilities. Organisations that have offline, tested backups may be able to avoid ransom payments entirely. The city's limited backup options contributed to the difficult decision to pay threat actors.
Third, the attack illustrates the cascading impact of ransomware on essential services. Municipalities must prioritise cyber resilience and redundancy for systems affecting public health and safety, including water treatment and utility management systems.
How CyberSafe Can Help
CyberSafe's Cyber Defense Services help municipalities implement ransomware resilience programmes including backup verification, recovery testing, and network segmentation. Our Vendor Access Management Consulting helps organisations implement strict controls on third-party and contractor access. Through Managed Security Services, we provide 24/7 threat detection to identify attacks before ransomware deployment occurs.