Metro Vancouver’s Transit System Hit By Egregor Ransomware

The Egregor ransomware operation has breached Metro Vancouver’s transportation agency TransLink with the cyberattack causing disruptions in services and payment systems.

On December 1st, TransLink’s announced that they were having issues with their information technology systems that affected phones, online services, and the ability to pay for fares using a credit card or debit card. All transit services were unaffected by the IT problems.

After restoring the payment systems, TransLink issued a statement disclosing that a ransomware attack caused the IT problems.

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure. This attack includes communications to TransLink through a printed message,” TransLink disclosed in a statement.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

Egregor ransomware was behind TransLink’s attack

Global BC reporter Jordan Armstrong tweeted a picture of the ransom note and stated that TransLink printers were repeatedly printing ransom notes.

From the picture of the ransom note, BleepingComputer can confirm that it was the Egregor ransomware operation behind the attack.

Egregor is also the only ransomware known to run scripts that print bomb ransom notes to available printers, as described by Armstrong in his tweet. The Egregor gang performed this same tactic during recent Cencosud cyberattack, where receipt printers began repeatedly printing ransom notes to draw public attention to the attack.

Egregor is a new organized cybercrime operation that partners with affiliates to hack into networks and deploy their ransomware. As part of this arrangement, affiliates earn 70% of ransom payments they generate, and the Egregor operators make a 30% revenue share.

The affiliates who compromise a network are known to steal unencrypted files before encrypting devices with the Egregor ransomware. The hackers then use these stolen files as further leverage by telling victims they will be publicly released if a ransom is not paid.

This ransomware gang began operating in September 2020 after another ransomware group known as Maze shut down their operation. Threat actors told BleepingComputer that many of the affiliates that worked with Maze moved over to Egregor, which allowed the new operation to amass many victims quickly.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

These attacks include numerous high-profile companies worldwide, including Kmart, Cencosud, Crytek, Ubisoft, and Barnes and Noble.

Thx to Jack Zhang for the tip!