Ransomware Confirmed: Black Basta Caused Outage at Toronto Public Library

The cyberattack on the Toronto Public Library last week was carried out by the Black Basta ransomware operation, according to a photo shared by a TPL employee.

TPL, Canada’s largest public library, had issued a notice to inform bibliophiles that its services had been downed by hackers last weekend.

The outage persists to this day, with an updated notice yesterday saying that, “As a result of the incident, the following services are unavailable: tpl.ca, ‘your account,’ tpl:map passes and digital collections.”

Public computers and printing services at all TPL branches are also down. Phone lines and WiFi are up and running, but TPL anticipates it may take several days to restore all systems fully.

Like the original memo, yesterday’s notice maintains that, “As of now, there is no evidence that the personal information of our staff or customers has been compromised.”

But that may turn out false if a report by BleepingComputer is to be considered. The cyber news site received an anonymous tip from within TPL claiming that Saturday’s attack was carried out by Black Basta ransomware operators.

A photo shared with the news outlet purports to show the hackers’ ransom note. In typical ransomware fashion, the extortionists instruct the victim to get in touch for negotiations while also warning not to tamper with the encrypted data or risk losing it.

Bitdefender cautioned Tuesday that a data leak was not out of the question if the attackers turned out to be extortionists, as is often the case with such incidents.

According to the unnamed tipster, the attack occurred overnight on Oct. 27. TPL deliberately shut down internal systems to prevent the spread of the malware.

The library’s main servers containing sensitive data were allegedly not encrypted. If true, this doesn’t necessarily mean the attackers didn’t view or copy some internal data.

Black Basta is a cybercrime enterprise responsible for a plurality of targeted attacks on organizations in the US, Canada, Europe, Australia, New Zealand, and Japan. The operation is thought to be an offshoot of the now-defunct Conti ransomware crew.