Throwback Attack: Egregor ransomware attacks Metro Vancouver TransLink

Courtesy: Brett Sayles

As more and more people head back into the office, public transportation is becoming normalized again. However, a customer has to keep track of route schedules, tickets and everything else they need to lug with them. The last thing on someone’s mind when they’re waiting for their ride at a TransLink (or any other form of public transportation) is the possibility of a ransomware attack.

On Dec. 1, 2020, TransLink, a public transportation agency in Vancouver, was under attack. Customers were unable to use Compass metro cards or the Compass ticketing kiosks for two days, and were forced to revert to cash payments. The agency reassured riders that they don’t store payment information, so customers didn’t have to worry about personal data getting out, but the real issue was with employee data and communications systems.

Originally, TransLink said that what was happening was just a technical issue. However, a local news outlet figured out was really going on thanks to sources within the transit authority sharing the ransom letter with them. That news outlet forced TransLink to tell the truth. “We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT (information technology) infrastructure,” TransLink CEO Kevin Desmond said in a statement.

In an ominous sign, the printers at Translink continually printed off ransom letters. At the time, the public was unaware of how much the ransom was. It has since come out that the threat actors were asking for around $7.5 million. While the ransom was never paid, Translink did risk customers not trusting their systems anymore.

The attackers accessed personal information, such as banking information and social security numbers, of employees, including some former and retired, and a limited number of employees’ spouses. The company did not disclose how many people had their information stolen, only that all affected individuals received a notification letter by mail. According to an article from Bitdefender, the company’s payroll operations were shut down. Employees were told they were still going to be paid, but through a cash advance at only 65% of their normal pay and without payroll deductions.

On the second day of the attack, TransLink lost its communications systems, which meant they were unable to track buses. Even four months after the attack, the TransLink app wasn’t able to show real-time information, only scheduled departure times. TransLink’s IT staff had to inspect every server extensively to find out what was accessed to make sure everything they brought back online was safe.

Egregor ransomware

The Egregor ransomware works like any basic ransomware; however, it does put the screws to its victims by sending the ransom note to any attached printers. In some instances, the printers seemed “possessed,” which is how someone described the printer they captured in a video, according to a Tripwire article. If TransLink was trying to keep this attack private, having the printers constantly printing the ransom note was a dead giveaway. Egregor recognized that the fear of lasting reputational damage to businesses caused by a data breach or ransomware attack is highly effective at convincing companies to pay up, so having this twist on an attack forces companies into a corner.

Around the time the Maze ransomware group started to shut down, Egregor showed up on the scene. Associates who were affiliated with the Maze group seem to have moved to Egregor. Although descriptions of the malware vary, the consensus is that Egregor is a variant of the Sekhmet ransomware family, according to a CSO article. In the same article, it is said that Egregor has claimed at least 71 victims across 19 different industries worldwide.

Some of the other Egregor attacks include Cencosud, Barnes and Noble, Ubisoft and Randstad. These attacks shared similar DNA to the hit on TransLink: The attackers stole data, a portion of which they put online. Egregor attackers also hit GBMC Healthcare in Maryland at the height of the COVID-19 pandemic. Even if companies have backup options, they still have to deal with risking leaked data that the ransomware steals if they don’t pay the ransom.

The outcome

In a collaborative effort, French, U.S. and Ukrainian authorities were able to arrest members of Egregor, among them the leader. Egregor’s website was also taken offline. French law enforcement was able to trace ransom payments to individuals in Ukraine. The arrests were a good step toward shutting down Egregor for good, but just as Maze shut down before Egregor, it is hard to know that another group won’t just step up in their place.




Keep your finger on the pulse of top industry news