The Vancouver’s metro transit system (TransLink) was recently hit by a ransomware threat known as Egregor causing significant disturbances in the payment systems and online services of the metro. Like with any other ransomware attack, the goal here was to force the transportation agency that runs the metro to release a massive amount of money as a
On the 1st of December, TransLink, the transportation agency of Metro Vancouver, announced that they have been having problems with their phones, credit and debit card transactions, and online services. The announced issues and disturbances did not affect the transit services themselves according to TransLink.
Later, after the problem with the payment systems has been resolved, TransLink released another statement in which it was clarified that the cause of the Metro Vancouver’s IT problems was an attack by a Ransomware threat that hit the agency’s systems.
The ransom note in which the hackers state their demands has been delivered to TransLink through a printed message that has already been uploaded to twitter.
Egregor Ransomware responsible for the attack on TransLink
From the printed ransom note, it quickly becomes obvious that the hackers behind this attack are known as the Egregor group that uses a ransomware version of the same name to blackmail its victims.
What’s interesting about this particular ransomware version is that it causes the attacked systems to uncontrollably print out the ransom note through the printers of the attacked network. According to reporters, the printers of TransLink have been ceaselessly printing out the Egregor ransom note after the infection occurred.
This is not the first instance of such an attack from the Egregor gang and it is confirmed that other victims of this hacker group have given in to the criminals’ demands and have released the ransom payment.
Currently, there’s no official information on whether TransLink intends to carry out the payment but different sources suggest that the transportation agency is currently not considering the payment as an option and does not intend to comply with the hacker’s demands.
According to the ransom message, if TransLink fails to carry out the payment within three days, the all of the company’s data will be published online.
An interesting fact about the Egregor group is that it typically works with affiliate hacker organizations in order to get its ransomware deployed into the targeted network. According to different sources, the Egregor group only keeps 30% of the ransom share whereas its affiliates take the remaining 70%.
Usually, the affiliates do most of the work by infiltrating a targeted network, stealing the data stored on it and then encrypting the attacked devices using the Egregor ransomware. This allows the hackers to blackmail the victim both for the decryption of the targeted devices and also by leveraging the threat of releasing the collected company data to the public.
The Egregor group is a very recently created hacker organization that became active sometime during September 2020. According to researchers, the people involved with Egregor ransomware are likely ones who were previously working with the Maze ransomware organization which disappeared a little before Egregor was formed. Both Egregor and Maze are known for prioritizing attacks on big companies all around the world over attacks on individual users.