The public transport system of Vancouver, Canada, has been struck by a ransomware attack from the same gang that targeted big-box retailer Kmart earlier in the week.

The attack on Translink was first discovered Dec. 2 when the statutory authority tweeted that it was investigating suspicious activity on its network, but the attack may date to Nov. 30 when TransLink’s online Next Bus feature started having issues. Translink publicly disclosed the ransomware attack Dec. 3.

Just how extensive the attack was on Translink was not disclosed. The authority said only that it “employs number of tools to prevent, identify and mitigate these types of attacks.” Translink said it uses “a number of tools to prevent, identify and mitigate these types of attacks,” and it’s “working to resume normal operations as quickly and safely as possible.”

BIV.com reported Dec. 3 that Translink’s Trip Planner tool had been disabled and SkyTrain riders couldn’t use credit or debit cards to purchase fares. Payments for monthly passes and other services also faced delays.

The attack is being attributed to the Egregor ransomware gang. The gang, first detected in September, uses a so-called double-tap attack in that data is both encrypted and stolen. Those behind the ransomware demand a ransom payment not to release the stolen data.

That seems to be the case here, since a ransom note from the gang stated that private data had been downloaded and that “soon mass media, your partners and clients will know about your PR.” Translink was given three days to get into contact on threat that the data would be released.

Services on Translink are back to normal as of the time of writing. The authority said it’s undertaking a comprehensive forensic investigation and no fare payment data had been stolen.

“The attack on Translink highlights ransomware’s extraordinary ability to cripple an organization’s operations and services,” Sanjay Jagad, senior director of products and solutions at enterprise data storage company Cloudian Inc., told SiliconANGLE. “Once again, this speaks to the need for stronger defense measures to protect against ransomware attacks.”

Tyler Reese, senior product manager at identity and access management service provider One Identity LLC, discussed both the Kmart and Translink attacks in terms of whether both should pay any ransom demanded.

“It’s important for companies to know that even if they pay the ransom, which they shouldn’t, it doesn’t mean they’ll get the information back,” Reese explained. “Hackers have been increasingly turning to ransomware-as-a-service, which means that the attacker may not have the ability to release the information allowing it to be available on the dark web forever.”

Instead of paying the ransom, he added, organizations should look toward malware removal or execution of a recovery plan. “However, malware removal isn’t always possible and a recovery plan could cause more downtime than an organization simply can afford,” he acknowledged. “The only option to avoid paying the ransom would be to prevent the attack altogether by having the right security measures in place.”

Photo: Exp691/Wikimedia Commons