Metro Vancouver Transit System affected by Egregor ransomware

Egregor’s ransomware operation attacked Metro Vancouver’s TransLink transportation company, causing disruption to services and payment systems.

On December 1, TransLink announced that it had problems with its information systems affecting cell phones, online services, and payment by credit or debit cards. When recovering payment systems, TransLink issued a statement confirming that the victim was a ransomware attack that was responsible for the IT problems.

“We can now confirm that TransLink was the target of a ransomware attack on part of our IT infrastructure. This attack involves communicating with TransLink via a printed message,” it said in a statement.

Egregor ransomware was behind the TransLink attack

Jordan Armstrong, a journalist at Global BC, tweeted a picture of the ransom note and stated that TransLink printers were printing those ransom notes non-stop.
Egregor is also the only known ransomware that runs scripts that print ransom notes on available printers, as described by Armstrong in his tweet. The egregor gang recently used the same tactic in a cyber attack in Cencosud, in which receipt machines continuously printed ransom notes to alert the public of a cyber attack.

Egregor is a new organized cybercrime system that works with affiliated companies to hack networks and deliver their ransomware. As a result of these associations, the member organizations have so far received 70% of the necessary rescue packages and those responsible for Egregor 30% of this income.
It is known that partners who compromise a network steal unencrypted files and then encrypt them with the Egregor ransomware. These stolen files are then used by hackers to blackmail victims by threatening to release the files.

This ransomware band went live in September 2020 after another group of ransomware called Maze disappeared.

(Source: Bleeping Computer)

Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without the prior authorization of the publisher.

Back to top button