Vancouver Metro Disrupted by Egregor Ransomware

The attack, which prevented Translink users from using their metro cards or buying tickets at kiosks, is the second from the prolific threat group just this week.

The threat actors behind the Egregor ransomware are showing a prolificacy in their early months of activity. On the heels of  targeting struggling U.S. retailer Kmart, the Egregor gang also disrupted the Vancouver metro system with a ransomware attack.

Translink, the Canadian city’s public transportation network, confirmed Thursday via a statement by its CEO Kevin Desmond on Twitter that it was “the target of a ransomware attack on some of our IT infrastructure” that “included communications to Translink through a printed message.”

The attack took place on Dec. 1 and left Vancouver residents and other users of the public transit service unable to use their Compass metro cards or pay for new tickets via the agency’s Compass ticketing kiosks, according to media reports. Translink officials avoided acknowledging the attack for two days, passing it off as a technical issue before being pressed by multiple local news agencies about what really was going on.

“Working with my colleague @pjimmyradio, we can confirm for @NEWS1130 that @TransLink has been hacked,” tweeted Martin MacMahon, a senior news reporter at local radio news station News 1130. “Our information comes from multiple sources within the transit authority, who have shared the ransom letter with us.”

Though officials did not come out and say Egregor was responsible for the attack—and the threat actors behind the ransomware have not ‘fessed up to it either — the ransom note that accompanied the attack points to the group as the culprit.

Jordan Armstrong, a reporter from another local news outlet, Global BC, tweeted a photo of the ransom note in the early hours of Friday morning, saying it was “rolling off the printers at @TransLink.”

“Sources tell me, at this point, @TransLink does NOT intend to pay,” he wrote. “But a cybersecurity expert we spoke to says this is a sophisticated new type of ransomware attack… and many victims do pay.”

The ransom note threatens to release data stolen from Translink to the media as well as its customers and partners so the attack will be widely known, a move that is a hallmark of Egregor. The malware uses a tactic of siphoning off corporate information and threatening this “mass-media” release of it before encrypting all files.

The group also is at this time the only known ransomware to run scripts that cause printers at the organization to continuously print out the ransom note, according to a report in BleepingComputer. The same thing happened in an attack on South American retailer Cencosud in mid-November, an action that was documented in a video on Twitter.

Translink continues to investigate the attack and mitigate any damage done by it, Desmond said. Meanwhile, the service has been restored to Compass vending machines and tap-to-pay gates at transportation stations so travelers can once again use their cards, he said.

Egregor — the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals–has been busy since it was first spotted in the wild in September and October. Earlier this week an attack on Kmart encrypted devices and servers connected to the company’s networks, knocking out back-end services.

In October, Egregor also claimed to have hacked gaming giant Ubisoft, lifting the source code for Watch Dogs: Legion, which was released on Oct. 29. It also took responsibility for a separate attack on gaming creator Crytek, relating to gaming titles like Arena of Fate and Warface.

Egregor also recently made headlines after it claimed responsibility for the Barnes & Noble cyberattack, first disclosed on Oct. 15. The bookseller had warned that it had been hacked in emailed notices to customers, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles