A little over a month after Montreal’s transit agency suffered a highly-disruptive ransomware attack, hackers have now carried out a successful ransomware attack targeting TransLink, the public transportation agency of Vancouver.
On 1st December, TransLink alerted customers about an IT issue plaguing some of its IT systems, stating that it was investigating an issue affecting some of its information technology systems that had knocked some services offline. The transportation agency said its team was working hard to isolate the problem and restore affected systems.
According to Canadian news agency CITY NEWS 1130, even though TransLink initially passed off the incident as an IT issue, its reporters were able to access a ransom note that hackers had sent to the transportation agency after carrying out a ransomware attack. “Your network was attacked, your computers and servers were locked,” the letter read.
Through the letter, hackers allegedly commanded TransLink to pay an unknown ransom amount within three days to regain access to its IT systems. Because of the ransomware attack, Vancouver residents were unable to use tap-and-pay services and were also unable to use credit and debit cards in the TransLink fare machines. These services were restored on Thursday, three days after the ransomware attack was discovered.
On Thursday, after the affected services were restored, TransLink CEO Kevin Desmond confirmed the ransomware attack, stating that as soon as the attack was discovered, the company took immediate steps to isolate and shut-down key IT assets and systems to contain the threat and to reduce the impact on its operations and infrastructure.
“We will be conducting a comprehensive forensic investigation to determine how the incident occurred, and what information may have been affected as a result. We want to assure our customers that TransLink does not store fare payment data. We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data.
“Customers can once again use credit cards and debit cards at Compass vending machines and Tap to Pay fare gates. Customers who recently purchased monthly passes or stored value will soon see the credit loaded onto their Compass card. All transit services continue to operate regularly, and no transit safety systems are affected,” Desmond said.
“We are sharing as much as we can at this point considering that this is an active investigation. We feel it is important to keep our customers and our employees as informed as possible in the circumstances. We are also sharing this update in order to alert other organisations about the dangers of this ransomware attack.
“We apologise to our customers for this inconvenience and appreciate their ongoing patience. We will provide further updates as more information becomes available,” he added.
This the second time in three months that a Canadian city transportation service has been hacked through a ransomware attack. In October, the Société de transport de Montréal (STM), the transit agency of Montreal, suffered a ransomware attack that resulted in the shutdown of around 1,000 of 1,600 servers.
As a result of the ransomware attack, STM was not able to honour travel reservations temporarily, and Montreal residents were unable to book new reservations or modify existing reservations. STM said in a statement that the hacker behind the ransomware attack demanded a ransom of $2.8 million to restore normal operations but also said it will not comply with the demand.
Commenting on the ransomware attack targeting TransLink, Sam Curry, Chief Security Officer at Cybereason, said that while these types of attacks are increasing against public and private sector companies, the silver lining is that there are fewer strains of ransomware in the wild and the good guys or defenders have more than a fighting chance to turn the tables on the cyber adversaries.
“This successful ransomware attack is yet another reminder to all transportation carriers by rail, land, air, and water to make sure they are deploying around the clock threat hunting services that will enhance their proverbial eyes and ears across their networks. Rooting out malicious behaviour and activity in its initial staging is extremely important to stopping it before the damage occurs,” he added.
According to Stuart Sharp, VP of Technical Services at OneLogin, in order to prevent ransomware attacks, it is vital that all businesses and government agencies have an in-depth and proactive approach to security along with a robust Business Continuity Plan to reduce the impact of a ransomware attack.
“This includes threat awareness, strong access control with multi-factor authentication, security tooling for monitoring/alerting, and crucially regular backups, version control, and thorough testing of disaster recovery procedures.”