Metro Vancouver’s transit system is the latest victim of a ransomware attack.
Global News has obtained the ransom letter sent to TransLink amid “suspicious network activity” this week that has caused several major problems across the transit system.
TransLink CEO Kevin Desmond confirmed the attack in a media release late Thursday.
Ransomware is a type of malicious software that locks up a computer network or steals data. Attackers demand a ransom in exchange for unlocking the system or returning the data.
“Your network has been ATTACKED, your computers and servers were LOCKED, your private data was DOWNLOADED,” reads the letter.
“If you do not contact us in the next three DAYS we will begin DATA publication.”
The letter viewed by Global News does not specify a ransom amount, but goes on to claim that recovering the data and systems without paying the ransom will cost “hundreds of millions” of dollars.
Sources inside TransLink say the belief is the attacker is a high-profile hacker who is responsible for a number of similar attacks in the U.S. They believe this may be the attacker’s first successful foray into Canada.
The letter includes instructions for administrators to contact the ‘Egregor’ website using the anonymous browser Tor.
The Egregor ransomware reportedly surfaced in September and made headlines with attacks on Barnes & Noble and Ubisoft.
Sources tell Global News the attack is believed to have started with a successful phishing email.
The transit agency is taking the position that it will not give in to the ransom demand, sources tell Global News.
The attack could also affect payday, which is Friday, for TransLink employees.
Sources tell Global News the company’s payroll operations are down.
Employees will still be paid, but using a cash advance, at 65 per cent of their normal pay, but without payroll deductions, sources say.
In his statement Thursday, Desmond said TransLink was “working to resume normal operations as quickly and safely as possible.”
He said the agency was conducting a forensic investigation, and that TransLink does not store any customers fare payment data.
Compass vending machines and tap-to-pay fare gates began accepting credit and debit card payments again Thursday afternoon, he said.
Various online services, including the Trip Planner tool, remained disabled Thursday evening.
“We are sharing as much as we can at this point considering this is an active investigation,” Desmond said.
“We feel it is important to keep our customers and employees as informed as possible in the circumstances. We are also sharing this update in order to alert other organizations about the dangers of this ransomware attack.”
Earlier in the day, Desmond said the transit agency had acted to isolate systems as soon as it realized there had been a breach.
Dominic Vogel, chief security strategist at Cyber.SC told Global News Thursday it is important to note that TransLink has engaged digital forensics, which he described as the “CSI squad of computers.”
“This type of incident, while it may not affect the general public or the ridership of TransLink, it could end up affecting the employees there,” he added, as there would sensitive information about those who work at the company stored in the databases.
He said the organization should not lose control of the narrative.
While officials are still not calling it a hack, a source told Global News the entire database was breached Monday night.
Sources inside TransLink told Global News Wednesday that phones are down, the radio system on buses has been down for more than 24 hours, drivers can’t access an online portal for employees, and some tasks are being done manually.
TransLink said it was limited in the information it could share, “given that this is an active investigation involving law enforcement authorities.”
Transit systems are still operating regularly and without any impact on the schedules.
Metro Vancouver Transit Police said an investigation has been launched involving local and national cyber-crime experts.