Ransomware attack cripples Vancouver public transportation agency

TransLink customers left unable to use the agency's public ticketing kiosks and cards for two days.

A ransomware attack has crippled the operations of TransLink, the public transportation agency for the city of Vancouver, Canada.

The attack took place this week, on December 1, and has left Vancouver residents unable to use their Compass metro cards or pay for new tickets via the agency's Compass ticketing kiosks.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

TransLink initially passed the incident as a prolonged technical issue before reporters from local news outlet CITY NEWS 1130 learned of the true nature of the incident and forced the agency to come clean.

"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure," TransLink CEO Kevin Desmond said in a statement released last night, after the CITY NEWS 1130 report.

While Desmond did not reveal the name of the ransomware strain/gang that breached TransLink's network, he confirmed that the attackers had sent the ransom note to be printed by the agency's printers.

A copy of this ransom note was published online by another local reporter.

Based on the ransom's note, TransLink had its systems infected with a version of the Egregor ransomware.

At least one affiliate part of the Egregor Ransomware-as-a-Service is known to employ the tactic of sending a copy of the ransom note to local printers.

A previous case was reported in South America after the same Egregor affiliate group also hit Cencosud, a major retail store chain, and had its printers spew its ransom note in full view of store employees and customers.

In the meantime, TransLink says it has restored access to its Compass kiosks so customers can resume using its Tap to Pay feature to pass through fare gates.

TransLink said the incident did not affect any of its transit routes.

The Egregor gang is also known for stealing data from hacked networks before encrypting their files. Desmond said TransLink is still in the middle of a forensic investigation, so they can't confirm what was taken. Nonetheless, the CEO said payment details were not in danger as the company doesn't store this type of data to begin with.