On December 1st, transportation agency TransLink announced that they were having issues with systems that affected phones, online services and payment processing. The transit services themselves were unaffected. Once payment systems were restored, TransLink confirmed that the incident had been a ransomware attack that included a ransom note printed on the victim’s printer equipment by the malware. Jordan Armstrong, a reporter for Global BC tweeted a picture of the printed ransom note which displayed links to the Egregor live chat website.
This is the second time a printed ransom note has been publicly confirmed. Previously, Cencosud was the only known victim to see this type of activity from the Egregor group. Egregor also claimed US department store Kmart this week. This year has shown that all organizations need to create and maintain an incident response plan, including procedures specific to ransomware incidents. Defenders should focus on Qakbot and Cobalt Strike infections which are known to result in Egregor deployments. When an attack makes it through, it is important to have sufficient monitoring of endpoints and network devices with quick response from a Security Operations Center that operates 24 hours a day, every day.