Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services

Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services

Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.

In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."

TTC said the impacted services and systems include:

• Loss of the TTC's Vision system, used to communicate with vehicle operators
• Next vehicle information on platforms screens, through trip planning apps and on the TTC website is unavailable
• Online Wheel Trans bookings are unavailable
• Internal TTC email service is offline

In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.

Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”

As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.

Ransomware Attacks on Public Transport Systems

In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.” 

The ransomware attack on TransLink led to multi-day transit payment problems.

Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.

A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.

In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:

1. File Encryption

Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.

2. Data Theft

Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.

3. Distributed Denial-of-Service (DDoS) Attacks

What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.

In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.

Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.

Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.

Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.

Cybersecurity Best Practices

Here are some cybersecurity best practices against ransomware attacks:

• Implement the 3-2-1 backup rule which means that 3 copies of important data must be kept, 2 copies in different media formats, and one copy off-site for disaster recovery.
• Keep all software up to date.
• Practice network segmentation, that is, subdividing your computer network into sub-networks so that in case one network encounters a problem, the other sub-networks won’t be affected.
• Use an automated DDoS solution.
• Raise your organization’s security precautions during weekends and holidays – data shows that ransomware attackers are likely to attack during these times.