Thought leadership. Threat analysis. Cybersecurity news and alerts.
Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services
Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.
In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."
TTC said the impacted services and systems include:
In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.
Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”
As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.
Ransomware Attacks on Public Transport Systems
In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.
“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.”
The ransomware attack on TransLink led to multi-day transit payment problems.
Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.
A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.
In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:
Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.
Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.
What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.
In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.
Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.
Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.
Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.
Cybersecurity Best Practices
Here are some cybersecurity best practices against ransomware attacks:
Steve E. Driz, I.S.P., ITCP