IT staff at the Toronto Transit Commission (TTC) are still dealing with the effects of a ransomware attack which was detected just as the weekend started.
In an interview Monday morning a spokesperson said there is no new information on the ransomware strain, the cause or whether data has been stolen
Asked Saturday if the TTC had determined how the attack started, and identified the strain of ransomware involved, Shabnum Durrani, head of corporate communications said, “We are still looking into the situation.”
She stressed that the impact on the bus, streetcar and subway service of the nation’s biggest transit system so far has been minimal, although its Vision communications system used to communicate with drivers, has been knocked offline. Operators have been forced to communicate with Transit Control with radios.
In addition, those needing to use the Wheel Trans van service for transit can’t book online. Instead they have to phone to reserve pickup.
Also offline is the TTC ‘next vehicle’ information service, which displays when the next bus or subway train will arrive on platforms and on trip planning apps.
The TTC’s internal email service is also offline. Durrani couldn’t say if the attackers were able to copy emails of employees, nor could she said if any corporate data was copied. These issues are still being investigated, she said.
UPDATE: On Tuesday morning TTC spokesperson Stuart Green said parts of the Vision system, including operator communications and vehicle tracking, were back online. However the email, Wheel Trans online booking and next-transit-vehicle-coming services weren’t. There was no timetable on when these would be restored. He also said IT still hadn’t determined the strain of ransomware involved or whether any data had been copied by the attackers.
UPDATE: On Tuesday afternoon the online booking system was back online.
UPDATE: On Wednesday afternoon the ‘Next Vehicle Arriving’ service was back online.
On Saturday Durrani wouldn’t say if the TTC has been in contact with the attackers. “I cannot comment on that at this time,” she said.
When asked if the TTC has brought in more IT resources to help investigate and restore service, she said the commission is working with other partners, and on the question of whether the Ontario government has been asked for help, she responded that “all levels of government are aware of the situation. We are working with the Toronto Police.”
She added, “The TTC has business continuity plans in place, but as you know, cyber attacks are evolving very quickly.”
Not the first attack on a transit system
A number of transit systems have been impacted by ransomware in recent years, noted Brett Callow, a British Columbia-based threat analyst for Emsisoft. These include British Columbia’s TransLink which was hit with a $7.5 demand late last year.
In 2016 San Francisco’s transit system was hit by ransomware, which forced the agency to stop selling tickets for a time on its light rail system. Passengers on a Saturday got free rides. The attacker demanded 100 Bitcoins, or approximately US$73,000, to unlock the damage. The hacker never had access to the computers that control trains, fare gates or ticket machines, one news site reported. The attack mainly affected the ability of employees to log on to some computers and to send and receive emails. The transit system was able to restore access from backups. No ransom was paid.
“It’s unlikely that TTC was specifically targeted,” Callow said. “The majority of attacks are the result of random spray-and-pray campaigns.
“Recovery can be a slow process,” he added. “While organizations are often able to restore key systems reasonably quickly, complete recovery can take months. At this point, it’s not clear which gang was responsible for the attack or whether data was exfiltrated.”
Although law enforcement agencies around the world have scored some victories this year — the REvil gang has twice been pushed offline, and police in Ukraine and Switzerland last week arrested 12 persons allegedly connected with ransomware gangs — attacks continue.
SonicWall said in a report released Friday that it has logged 495 million ransomware attempts so far this year to date. At that rate, it said, 2021 will be the most costly and dangerous year on record.
“As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens,” SonicWall CEO Bill Conner said in a statement. “The real-world damage caused by these attacks is beyond anecdotal at this point. It’s a serious national and global problem that has already taken a toll on businesses and governments everywhere. I’m hopeful that the recent global ransomware summit is the next step toward a greater response at global, national and state levels.”
This story will be updated as the situation evolves.