Ransomware attack strikes Nygard IT systems on Dec. 12, receiver company assessing impact

Peter Nygard will ring in the new year behind jail bars, while the company in control of Nygard's assets recovers from a ransomware attack that impacted dozens of computer servers linked to the Nygard IT system.

RCMP and Winnipeg police arrested Nygard on Dec. 14in relation to a nine-count indictment in the United States accusing the 79-year-old of racketeering, sex trafficking and other related crimes. He is currently in custody at the Winnipeg Remand Centre.

While in court on Dec. 15, Justice Sheldon Lanchbery said Nygard would be held in jail until Jan. 13, 2021. But on Thursday, Nygard's bail application was set for 10 a.m. on Jan. 6, 2021.

A total of 57 women have joined a class-action suit, filed in New York earlier this year, accusing Nygard of rape, sexual assault and human trafficking dating back to 1977.

The class action was put on hold in Augustafter a judge presiding over the case in the Southern District of New York entered a stay of proceeding so that the FBI could complete its investigation, according to court documents.

The FBI is urging anyone who believes they are a victim of the sexual abuse perpetrated by Nygard to contact them at 1-800-225-5324.

No allegations have been proven in court.

Nygard IT system hacked

Richter Advisory Group Inc., the court-appointed receiver of Nygard's assets, says Nygard IT servers were a victim of a ransomware attack, according to a court document dated Dec. 30.

Informanixa third-party IT consultant hired to preserve digital recordsand the Nygard IT staffwere working to recover records and computer servers impacted by a November power outage in northwestern Winnipegwhen they had to pivot to deal with a ransomware attack on Dec. 12.

The ransomware attack a type of malware attack where the perpetrator locks and encrypts the victim's data and demands payment to unlock and decrypt the data compromised "certain electronic records, programs and IT infrastructure of the Nygardorganization, including the debtors," the court document says.

But "by reason of the size and complexity of the IT System, and the caution needed in taking steps to assess the ransomware attack, the full scope and impact of the ransomware attack is not yet certain," the document says.

Around 7 p.m. CST on Dec. 12, Richter Advisory Group became aware of the ransomware attack that infected the Nygard IT system. A message from the attackers informed them of the hack, and detailed how to proceed to gain access to the data again.

"Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program," read the message, which was an appendix of the court document.

"Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover."

By 8:30 p.m., all servers were shut down. By 10 p.m., they were physically unplugged, the court document says. "These immediate actions appear to have stopped the further spread of the malware and preserved certain portions of the IT system."

The perpetrators are yet to be identified, but IT staff identified the ransomware responsible as Netwalker a type of ransomware created by Circus Spider, a "highly sophisticated" cybercrime group who started selling tools and ransomware over the dark web last March, the court document says.

The attackers initially demanded approximately 99 bitcoins equivalent to more than $3.6 million. Richter did not respond to the initial demand and the ransom payment was increased to 198 bitcoins equivalent to more than $7.2 million, the document says.

Richter was told on Dec. 23 that if the ransom is not received, the stolen files and data will be made public on Jan. 2, 2021. But Richter will not consider paying the ransom, the court document says.

Although IT staff are still assessing the damage of the ransomware attack and how to back up impacted files and data, there are four servers encrypted which do not appear to be able to be restored.

Had the IT staff not acted as they did on Dec. 12, data from approximately 46 servers would have been permanently lost, the court document says.