Ransomware attack paralyzes Vancouver public transportation agency

TransLink, Vancouver, Canada's public transportation agency, has become the victim of a ransomware attack that has left residents of the city unable to use their Compass metro cards or pay for new tickets via the agency's Compass ticketing kiosks.

The attack took place on Tuesday, but the agency initially passed it off as a prolonged technical issue. However, reporters at local radio station CITY NEWS 1130 found out what had happened and forced the organization to admit the attack took place.

"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure," TransLink CEO Kevin Desmond said in a statement to the radio station.

“TransLink does not store fare payment data. We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data.”

Desmond didn’t reveal the ransomware’s name but confirmed the hackers printed a demand note on the agency’s printers.

“Your network was attacked, your computers and servers were locked,” the note read. Printing these notes on an organization’s printer is a tactic used by the Egregor ransomware.

Services were restored Thursday afternoon.

Sam Curry, chief security officer at Cybereason, told ITPro that these types of attacks are increasing against public and private sector companies, but there’s a silver lining.

According to Curry, “The silver lining is that there are fewer strains of ransomware in the wild and the good guys or defenders have more than a fighting chance to turn the tables on the cyber adversaries. And good for TransLink for eventually owning up to the fact it was a ransomware attack. Honestly, they should have come clean at the outset, shared as much information as possible and assured customers they were doing everything humanly possible to restore transportation services to normal.”

Stuart Sharp, VP of technical services at OneLogin, told ITPro that it’s fortunate that Translink doesn’t store any financial information, so citizens’ financial data wasn’t at risk in the attack.

“It goes to show that any organization where an IT system plays a crucial role in running services is at risk from ransomware attacks, not just organizations that store sensitive data,” Sharp said.

Javvad Malik, security awareness advocate at KnowBe4, said ransomware operators are more focused and targeted in their attacks.

“They tend to spend more time within an organization before deploying ransomware. This allows them to not only steal data that they can use to further blackmail the organization or its customers with but also to identify which data and systems to encrypt with ransomware for maximum impact,” he said.

Malik added it's essential that organizations have controls in place to prevent ransomware from gaining access via a layered security strategy that includes technical controls and ensuring employees receive security awareness and training.