IOTW: Disruption Key Strategy For Public Transportation Ransomware Attack

Add bookmark

Seth Adler

Residents of Vancouver, BC found themselves out in the cold on December 1st after their public transportation payments were refused at ticket kiosks. Three days later, TransLink releases a statement about the ransomware attack.


TransLink services the greater Metro Vancouver area with major road and bridge maintenance and public transportation. On December 1st, commuters attempting to use TransLink kiosks to purchase tickets and those with existing Compass metro cards were puzzled to find both services inactive. TransLink initially chalked the service outage up to a technical issue before admitting to the hack via Twitter two days later, releasing their official statement via their website on December 4th. Some media outlets and cyber security professionals condemned TransLink for their lack of transparency, while the company insists it was necessary due to the ongoing investigation.

The TransLink official statement reads in part, “TransLink employs a number of tools to prevent, identify and mitigate these types of attacks. Upon detection, we took immediate steps to isolate and shut-down key IT assets and systems in order to contain the threat and reduce the impact on our operations and infrastructure. We are now working to resume normal operations as quickly and safely as possible.

We will be conducting a comprehensive forensic investigation to determine how the incident occurred, and what information may have been affected as a result. We want to assure our customers that TransLink does not store fare payment data. We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data.”

Related: Integrating Communications And Creating Operations Effectiveness

TransLink also confirmed that the ransom came in the form of a printed message. In fact, insiders who spoke with the local news station News 1130 say that the ransom note continuously printed on several TransLink printers and included threats to release stolen data to the media. While not explicitly stated, it is assumed that the ransomware group Egregor is behind the breach. Since its appearance on the cyber scene last September, Egregor has made headlines multiple times after attacks on Barnes & Noble, gaming enterprises Ubisoft and Crytek, and most recently, Kmart.

Lessons Learned

Along with its trademark ransom note printing, Egregor uses anti-analysis strategies to go undetected, including code obfuscation and packed payloads. Victims are instructed to visit a website on the Deep Web in order to live chat with an Egregor representative about the ransom, and, allegedly, security advice for the enterprises that pay. Interestingly, the name Egregore comes from “an occult concept representing a distinct non-physical entity that arises from a collective group of people.”

Ransomware attacks often use disruption as part of their strategy in order to create the urgency that pressures enterprises into paying ransoms. Bad press and the classic credit monitoring promises to compromised customers is one thing, but when important infrastructure or services go down, enterprises stand to lose big.

Related: Harnessing A Present & Future Fraught With Danger

In 2019, the average cost of downtime caused by a ransomware attack for SMBs was $141,000. For enterprises, the average cost for the same in Q3 of 2019 was estimated at $740,357.

Quick Tips

Ransomware attacks rely in part on lax cyber protocols. In order to best safeguard your enterprise from this growing threat, consider the following:

  1. Back up data smartly – One of the ways cyber criminals convince corporations to pay ransoms is by holding their data hostage by encrypting it. While most enterprises back up their data, it is often located in the same compromised infrastructure the original data. Consider backing up data to external drives or a second cloud service provider.
  2. Choose a reputable security suite – Standard antivirus software and basic firewalls may be sufficient for the layperson, but enterprises should invest in a security suite that uses smart tools and sophisticated algorithms to spot and, if possible, remove ransomware. The tool must be able to run in the background 24/7.
  3. Install Software Updates – Cyber criminals look for the path of least resistance. Such a path is usually found in outdated software that hasn’t downloaded the most up-to-date patches, bug fixes, and other newly designed features. Remember to keep all apps, plug-ins, and third-party software up to date as well.

Read More: Incident Of The Week