Full Report
The Toronto Zoo, the largest zoo in Canada, has provided more information about the data stolen during a ransomware attack in January 2024. [...]
Analysis Summary
# Incident Report: Toronto Zoo Ransomware Attack (Akira Group)
## Executive Summary
The Toronto Zoo suffered a ransomware attack sometime in 2023, with the data exfiltration being claimed publicly by the Akira ransomware group in January 2024. The attack resulted in the theft of approximately 133GB of data, including sensitive internal files, database backups, and user or visitor information. The organization reported the breach to the privacy commissioner and is advising those affected to monitor their financial accounts.
## Incident Details
- Discovery Date: Not explicitly stated, but the data exfiltration was claimed in January 2024.
- Incident Date: Occurred sometime in 2023.
- Affected Organization: Toronto Zoo
- Sector: Public Service / Zoological Institution
- Geography: Toronto, Canada (Ontario)
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but occurred prior to data publication in January 2024.
- Vector: Not explicitly disclosed by the Zoo, but Akira typically gains access via external-facing systems or compromised credentials.
- Details: Unknown initial breach vector.
### Lateral Movement
- Details: Attackers successfully accessed and exfiltrated data from a file server.
### Data Exfiltration/Impact
- Date/Time: Ransomware group published data starting early February 2024.
- Details: Approximately 133GB of files were stolen from a file server, allegedly including database backups, ticket information, confidential agreements (NDAs), personal files (e.g., driver licenses), and animal-related information.
### Detection & Response
- Date/Time: Followed regulatory timelines.
- Details: The Toronto Zoo reported the data breach to the Office of the Information and Privacy Commissioner of Ontario (the IPC). Affected individuals were advised to monitor financial statements.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed, but sufficient access was gained to access sensitive files.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Attackers moved to a file server containing the bulk of the stolen data.
- Collection: 133GB of files were collected from a file server.
- Exfiltration: Data was exfiltrated before being published on the Akira dark web leak site.
- Impact: Data theft and potential identity exposure. No mention of file encryption/disruption (ransomware note execution) was detailed, focusing instead on the leak.
## Impact Assessment
- Financial: Not disclosed. (Note: Akira demands range from $200K to millions.)
- Data Breach: Sensitive data, including database backups, ticket information, confidential agreements, and personal files (such as driver licenses), amounting to 133GB.
- Operational: Not detailed, but impact likely occurred during the initial compromise timeline in 2023.
- Reputational: Public disclosure of a data breach involving confidential and personal information.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs defanged).
- File indicators: Akira ransomware activity is suspected. Over 35GB of data was seeded via a torrent file containing multiple archives.
- Behavioral indicators: Unauthorized access and exfiltration from a file server.
## Response Actions
- Containment: Not detailed.
- Eradication: Not detailed.
- Recovery: Affected individuals were advised to monitor financial accounts. The incident was reported to the IPC.
## Lessons Learned
- The compromise highlights the risk associated with exposed or insufficiently protected file servers containing sensitive internal and personal data.
- The Toronto Zoo was impacted by the Akira ransomware group, which is known to actively publish stolen data following breaches.
## Recommendations
- Immediately review and strengthen access controls, backup routines, and segmentation around critical file servers.
- Enhance monitoring for large-scale data exfiltration activities.
- Review incident response plans to ensure timely engagement and communication following the confirmation of a data breach involving PII or confidential agreements.