A ransomware attack has crippled the operations of TransLink, the public transportation agency for the city of Vancouver, Canada.
The attack took place this week, on December 1, and has left Vancouver residents unable to use their Compass metro cards or pay for new tickets via the agency's Compass ticketing kiosks.
SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)
TransLink initially passed the incident as a prolonged technical issue before reporters from local news outlet CITY NEWS 1130 learned of the true nature of the incident and forced the agency to come clean.
Working with my colleague @pjimmyradio, we can confirm for @NEWS1130 that @TransLink has been hacked. Our information comes from multiple sources within the transit authority, who have shared the ransom letter with us. Listen in for more details throughout the afternoon.
— Martin MacMahon (@martinmacmahon) December 3, 2020
"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure," TransLink CEO Kevin Desmond said in a statement released last night, after the CITY NEWS 1130 report.
Statement from TransLink CEO Kevin Desmond: pic.twitter.com/n6hFd6tY3p
— News from TransLink (@TransLinkNews) December 4, 2020
While Desmond did not reveal the name of the ransomware strain/gang that breached TransLink's network, he confirmed that the attackers had sent the ransom note to be printed by the agency's printers.
A copy of this ransom note was published online by another local reporter.
Ransom letter that’s been rolling off the printers at @TransLink.
— Jordan Armstrong (@jarmstrongbc) December 4, 2020
Sources tell me, at this point, @TransLink does NOT intend to pay.
But a cyber security expert we spoke to says this is a sophisticated new type of ransomware attack... and many victims do pay.@GlobalBC pic.twitter.com/2tYLy4lZkG
Based on the ransom's note, TransLink had its systems infected with a version of the Egregor ransomware.
At least one affiliate part of the Egregor Ransomware-as-a-Service is known to employ the tactic of sending a copy of the ransom note to local printers.
A previous case was reported in South America after the same Egregor affiliate group also hit Cencosud, a major retail store chain, and had its printers spew its ransom note in full view of store employees and customers.
El #ransomware que le pegó a Cencosud es #Egregor. La ransom note empezó a salir en las impresoras de varios locales de Argentina y Chile pic.twitter.com/k1Ps4IDUyq
— Irlenys (@Irlenys) November 15, 2020
In the meantime, TransLink says it has restored access to its Compass kiosks so customers can resume using its Tap to Pay feature to pass through fare gates.
TransLink said the incident did not affect any of its transit routes.
The Egregor gang is also known for stealing data from hacked networks before encrypting their files. Desmond said TransLink is still in the middle of a forensic investigation, so they can't confirm what was taken. Nonetheless, the CEO said payment details were not in danger as the company doesn't store this type of data to begin with.