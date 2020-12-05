It’s been a busy week for the cybercriminals behind the Egregor ransomware. The group first grabbed headlines for breaching systems at K-Mart. Their next attack disrupted mass transit service just north of the border in Vancouver, British Columbia.

Translink, which operates buses, trains, water taxis, and even gondolas throughout the Vancouver metropolitan area, announced the attack via its official Twitter account just days ago.

CEO Kevin Desmond wrote on December 3rd that the company took immediate action upon detecting the attack. Critical systems were taken offline to contain the ransomware’s spread and minimize impact on Translink’s operations.

Customers’ payment card data was not accessed as it’s managed by a third-party processor. Translink itself doesn’t store any information from individual cards.

Sources told Global TV reporter Jordan Armstrong that Translink did not intend to pay the ransom. That’s the approach encouraged by law enforcement officials — although ransomware gangs are now giving high-profile victims like Translink a lot more to think about.

There’s much more to a ransomware attack these days than encrypting a victim’s sensitive files, especially when the strain is as sophisticated as Egregor.

Egregor first surfaced in September of this year. Its operators are notoriously aggressive with negotiations, typically giving a victim just 72 hours to respond. If the deadline is missed the attackers immediately begin publishing the victim’s data online.

That’s not a unique approach anymore. Numerous ransomware crews have been using the threat of data leaks to extort payments this year.

In the Translink incident, however, the Egregor gang added an unusual twist. Ransom demands are often left on computer systems alongside the victim’s encrypted files. At Translink the attackers reportedly also printed ransom notes on the company’s printers.

Vulnerable printers have been abused by hackers on a large scale in the past, but those incidents have generally been acts of vandalism or experimentation. The Egregor gang has printed ransom notes at least once before, when systems belonging to South American retail giant Cencosud were compromised.

Why print physical copies? In a word, intimidation. It’s a way for the attackers to demonstrate the level of access they’ve achieved within a victim’s network — and it underscores just how high the stakes really are.

