The Egregor ransomware gang struck TransLink, the authority responsible for managing Metro Vancouver’s transportation network.
On December 1, TransLink announced that certain issues were affecting its phones, online services and payment systems.
The authority later confirmed that it had suffered a ransomware attack and that those responsible for the infection had used its printers to deliver their ransom note.
Global BC reporter Jordan Armstrong confirmed this in his coverage of the security incident.
Bleeping Computer examined the ransom note and used it to attribute the attack to the Egregor ransomware gang.
At the end of October 2020, the security community learned that many of Maze’s affiliates were moving over to Egregor after Maze’s handlers had announced that they were shutting down that ransomware strain’s operations.
A few weeks after claiming Japanese video game developer Capcom as one of its victims, the Egregor ransomware crew drew attention to itself by hijacking its victims’ printers in order to deliver its ransom notes.
Egregor is one of the many ransomware operations that maintains a data leaks site for publishing non-compliant victims’ stolen information. These portals enable digital attackers to double-extort their victims: once for the decryption key and again for the deletion of their stolen information.
The issue with Egregor is that it is among a handful of crypto-malware enterprises that don’t always honor victims who have paid a ransom to have their data deleted. In fact, Egregor’s attackers sparked the curiosity of security researchers in Q3 2020 for publishing stolen information on their site before the victims knew that their data had even been taken.
Egregor’s targets and techniques highlight the need for organizations to defend themselves against a ransomware infection. One of the ways they can do this is by working to prevent a ransomware attack in the first place. This resource could serve as a starting point for organizations’ anti-ransomware efforts.