The threat players behind the Egregor ransomware are showing skill in their early months of activity. after targeting struggling US retailer Kmart, the Egregor gang also disrupted the Vancouver Metro system through a ransomware attack.
This attack, which prevented Translink users from using their metro cards or buying tickets at kiosks, is the 2nd from the prolific threat group this week.
Translink, the Canadian city’s public transportation network, confirmed Thurs. via a statement by its CEO Kevin Desmond on Twitter that it was “the target of a ransomware attack on some of our IT infrastructure” that “included communications to Translink through a printed message.”
The attack took place on Dec. 1 & left Vancouver residents & other users of the public transit service unable to use their Compass metro cards or pay for new tickets via the agency’s Compass ticketing kiosks, says media reports.
Translink officials avoided accepting the attack for 2 days, passing it off as a technical issue before being pressed by multiple local news agencies about what really happened.
“Working with my colleague @pjimmyradio, we can confirm for @NEWS1130 that @TransLink has been hacked,” tweeted Martin MacMahon, a senior news reporter at local radio news station News 1130. “Our information comes from multiple sources within the transit authority, who have shared the ransom letter with us.”
Although officials did not say Egregor was responsible for the attack, & the threat players behind the ransomware have not ‘fessed up to it either — the ransom note that accompanied the attack points to the group as the culprit.
Intent to Pay
Jordan Armstrong, a reporter from another local news outlet, Global BC, tweeted a photo of the ransom note in the early hours of Fri. morning, saying it was “rolling off the printers at @TransLink.”
“Sources tell me, at this point, @TransLink does NOT intend to pay,” he wrote. “But a cyber-security expert we spoke to says this is a sophisticated new type of ransomware attack… & many victims do pay.”
The ransom note threatens to release data stolen from Translink to the media as well as its customers & partners so the attack will be widely known, a move that is a hallmark of Egregor. The malware uses a tactic of siphoning off corporate information & threatening this “mass-media” release of it before encrypting all files.
The group also is at this time the only known ransomware to run scripts that cause printers at the organisation to continuously print out the ransom note, according to a report in Bleeping Computer. The same thing occurred in an attack on S. American retailer Cencosud in mid-Nov., an action that was documented in a video on Twitter.
Translink continues to investigate the attack & mitigate any damage done by it, Desmond explained. Meanwhile, the service has been restored to Compass vending machines & tap-to-pay gates at transportation stations so travellers can once again use their cards, he observed.
Egregor — the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals–has been busy since it was 1st seen in Sept. & Oct. Earlier this week an attack on Kmart encrypted devices & servers connected to the company’s networks, knocking out back-end services.
In Oct., Egregor also claimed to have hacked gaming giant Ubisoft, lifting the source code for Watch Dogs: Legion, which was released on Oct. 29. It also took responsibility for a separate attack on gaming creator Crytek, relating to gaming titles like Arena of Fate & Warface.
Egregor also recently made headlines after it claimed responsibility for the Barnes & Noble cyberattack, first disclosed on Oct. 15. The bookseller had warned that it had been hacked in emailed notices to customers, “which resulted in unauthorised and unlawful access to certain Barnes & Noble corporate systems.”