Nobody is immune from getting pwned by ransomware. And the Toronto Transit Commission illustrates this as it’s come to light that it’s the victim of a ransomware attack:
Staff from the Toronto Transit Commission, along with external cybersecurity experts, continue to investigate and troubleshoot a systemwide ransomware attack.
The TTC says the personal information of riders and employees is safe, but service is still being impacted.
Customers will have trouble planning their trips online — ‘next vehicle’ information is unavailable — but there has not been any significant service disruptions to any TTC routes.
According to the TTC, they experienced loss of their Vision system which is used to communicate with vehicle operators, forcing them to use a backup radio system. They also lost vehicle information used to update trip planning apps and Wheel-Trans bookings were unavailable. Internal email service was also affected.
Given that the Toronto Transit Commission serves up a couple million rides a day, this is not trivial. Hopefully two things happens. One: They recover from this quickly. Two: They figure out how the hackers got in and perpetrated this attack so that they are never a victim again.
UPDATE: Darktrace‘s Director of Strategic Threat, Marcus Fowler, has the following comment:
As transit systems bounce back from the massive lull in ridership during the pandemic, they become an enticing target for ransomware actors. Anytime a ransomware attack can create a real-world impact, such as long lines or service disruption, cyber-criminals will likely demand higher ransom, with the expectation that victims will pay quickly. For the Toronto Transit Commission (TTC), thankfully, they reported no significant transit service disruption.
Interestingly, the TTC reported its security team detected unusual network activity Thursday night, and impact was minimal until midday Friday, when the attackers broadened their operations on network servers. When it comes to cyber disruptions, this is a critical point in the attack process. Identifying the intrusion is only the beginning of incident response.
Without the ability for an organization’s digital infrastructure to autonomously defend itself and disrupt the attacker, bad actors can pivot operations and immediately launch file encryption. Security teams find themselves in a race against time; time to detection, time to meaning, and time to response dictate success or failure for these teams. Those not automating portions of this chain to augment their human workforce will find it harder and harder to prevent business disruptions.