Extortionists behind TransLink ransomware attack also targeted Barnes & Noble and two major gaming companies

Before this week, most Vancouverites had never heard of the term Egregor.

But that changed when Global B.C. News obtained a note from the extortionists who targeted TransLink's information-technology infrastructure.

A group calling itself Egregor claimed responsibility.

"The ransom note which Global News appears to have obtained, and of which a short extract was published, is consistent with the note used by a ransomware group called Egregor," Emisoft threat analyst Brett Callow told the Straight.

"Like multiple other groups, Egregor do not only encrypt their victims’ data, they steal it too," Callow continued. "They use the threat of releasing or selling the stolen data as additional leverage to extort payment."

TransLink CEO Kevin Desmond said on December 3 that the organization "will be conducting a comprehensive forensic investigation to determine how the incident occurred, and what information may have been affected as a result".

"We want to assure our customers that TransLink does not store fare payment data," Desmond said. "We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data."

Customers could resume using credit cards and debit cards at Compass vending machines and Tap to Pay fare gates last night after the system was shut down for several days.

TransLink would not tell the Straight whether it has paid ransom. However, Global B.C. News reporter Jordan Armstrong cited an unnamed source who said that no money has been forwarded to the cybercriminals.

Callow said that Egregor has also victimized book retailer Barnes & Noble, gaming companies Ubisoft and Crytek, and Chilean-based retailer Cencusud.

"The people behind Egregor may well be the same people responsible for Maze, another ransomware operation that was retired shortly before Egregor was launched," Callow added. "The Maze group was responsible for numerous Canadian ransomware incidents, including the attacks on the Government of PEI, Bird Construction, Andrew Agencies and a number of law firms."

The ransomware attack on TransLink is the highest-profile hacking event in Canada since a cyberattack on LifeLabs a year ago.

At that time Callow said that the Toronto-based company made an "absolutely terrible decision" when it decided to pay ransom to retrieve data relating to 15 million customers.

"It's akin to paying a blackmailer in the hope that they will return an incriminating photo to you," Callow said in December 2019. "They may return the photo but then they also kept a copy. LifeLabs is working on nothing more than a pinky promise that the data won't be used."

Others who've been hacked since then include Craftsman Collision, Simon Fraser University, and the District of Squamish.

In February, Emisoft released a report concluding that the average ransomware demand in the United States was $84,000 last year. That’s since increased to between $150,000 to $250,000—compared to just $5,000 in 2018.

One-third of companies paid the demand.

In Canada, ransomware attacks cost nearly $260 billion last year, according to the Emisoft report.