Metro Vancouver’s transit system hit by ransomware attack

Click to play video: 'Ransomware attack shuts down part of Metro Vancouver’s transit system for a third day'
Ransomware attack shuts down part of Metro Vancouver’s transit system for a third day
Following a shutdown caused by an apparent 'ransomware' attack, some TransLink services like online route planning and Compass Card refills by credit and debit cards remain offline. Jordan Armstrong reports. – Dec 3, 2020

Metro Vancouver’s transit system is the latest victim of a ransomware attack.

Global News has obtained the ransom letter sent to TransLink amid “suspicious network activity” this week that has caused several major problems across the transit system.

TransLink CEO Kevin Desmond confirmed the attack in a media release late Thursday.

Ransomware is a type of malicious software that locks up a computer network or steals data. Attackers demand a ransom in exchange for unlocking the system or returning the data.

“Your network has been ATTACKED, your computers and servers were LOCKED, your private data was DOWNLOADED,” reads the letter.

Submitted. Submitted

“If you do not contact us in the next three DAYS we will begin DATA publication.”

Story continues below advertisement

The letter viewed by Global News does not specify a ransom amount, but goes on to claim that recovering the data and systems without paying the ransom will cost “hundreds of millions” of dollars.

Click to play video: 'Cybersecurity expert weighs in on TransLink’s ransomware attack'
Cybersecurity expert weighs in on TransLink’s ransomware attack

Story continues below advertisement

Sources inside TransLink say the belief is the attacker is a high-profile hacker who is responsible for a number of similar attacks in the U.S. They believe this may be the attacker’s first successful foray into Canada.

The letter includes instructions for administrators to contact the ‘Egregor’ website using the anonymous browser Tor.

The Egregor ransomware reportedly surfaced in September and made headlines with attacks on Barnes & Noble and Ubisoft.

Sources tell Global News the attack is believed to have started with a successful phishing email.

The transit agency is taking the position that it will not give in to the ransom demand, sources tell Global News.

The attack could also affect payday, which is Friday, for TransLink employees.

Sources tell Global News the company’s payroll operations are down.

Employees will still be paid, but using a cash advance, at 65 per cent of their normal pay, but without payroll deductions, sources say. 

In his statement Thursday, Desmond said TransLink was “working to resume normal operations as quickly and safely as possible.”

Story continues below advertisement

He said the agency was conducting a forensic investigation, and that TransLink does not store any customers fare payment data.

Compass vending machines and tap-to-pay fare gates began accepting credit and debit card payments again Thursday afternoon, he said.

Various online services, including the Trip Planner tool, remained disabled Thursday evening.

“We are sharing as much as we can at this point considering this is an active investigation,” Desmond said.

“We feel it is important to keep our customers and employees as informed as possible in the circumstances. We are also sharing this update in order to alert other organizations about the dangers of this ransomware attack.”

Earlier in the day, Desmond said the transit agency had acted to isolate systems as soon as it realized there had been a breach.

Dominic Vogel, chief security strategist at Cyber.SC told Global News Thursday it is important to note that TransLink has engaged digital forensics, which he described as the “CSI squad of computers.”

“This type of incident, while it may not affect the general public or the ridership of TransLink, it could end up affecting the employees there,” he added, as there would sensitive information about those who work at the company stored in the databases.

Story continues below advertisement
“If you look at all the big data breaches or security incidents over the past 20, 25 years, the ones where they end up just being a minor speedbump is when [the companies] were very transparent,” Vogel added. “So, rather than using terms like ‘suspicious activity,’ that’s very vague… I’d prefer that they be very specific with the facts. To me, the good playbook is to say ‘factually, this is what we know, this is what we don’t know, this is what we’re working on to try and identify.'”

He said the organization should not lose control of the narrative.

Click to play video: 'TransLink disables electronic payment options over possible cyber crime'
TransLink disables electronic payment options over possible cyber crime

While officials are still not calling it a hack, a source told Global News the entire database was breached Monday night.

Story continues below advertisement

Sources inside TransLink told Global News Wednesday that phones are down, the radio system on buses has been down for more than 24 hours, drivers can’t access an online portal for employees, and some tasks are being done manually.

TransLink said it was limited in the information it could share, “given that this is an active investigation involving law enforcement authorities.”

Transit systems are still operating regularly and without any impact on the schedules.

Metro Vancouver Transit Police said an investigation has been launched involving local and national cyber-crime experts.

Sponsored content