Notorious criminal group hacks Fort Worth agency, holding data for ransom, experts say
A ransomware gang is holding Fort Worth’s regional transportation agency’s private data hostage, according to two cybersecurity companies that monitor the criminal group.
The group NetWalker hacked Trinity Metro’s private files and is threatening to release all their data unless Trinity Metro gives them money, threat analysts from Emsisoft and Binary Defense told the Star-Telegram.
A Trinity Metro spokeswoman said they cannot comment on cybersecurity issues. As of Thursday, the agency had not sent any information on the hack. On their website, Trinity Metro posted a notice that their phone lines and ACCESS booking system were down due to a “technical issue.”
NetWalker is a notorious ransomware group that has attacked agencies, universities and groups across the world. On Thursday, the criminal group posted screenshots of Trinity Metro’s encrypted data files on their online blog on the dark-web, said Randy Pargman, senior director of threat hunting and counterintelligence at the cybersecurity company Binary Defense.
Emsisoft Malware Lab also sent the Star-Telegram the screenshots from NetWalker’s blog. RansomLeaks, a Twitter account that describes itself as “Scouring the dank web for fresh ransomware leaks” also identified Trinity Metro as NetWalker’s latest victim. The screenshots on the blog show a list of hundreds of files with labels such as “Vendor W9s,” “Passenger information system,” and “ACCESS stuff.”
In the upper right corner is a countdown clock that reads, “Secret data publication in —” and a time period. As of Thursday afternoon, the blog threatened all information would be released in eight days.
Pargman, who is also a former FBI senior computer scientist serving on the Cyber Task Force, said NetWalker has extorted dozens of other groups for money through this method.
“Once this time runs out, they will release those stolen files to the whole world,” Pargman said. “And anyone who wants to can download them and make use of them.”
Pargman said he has not seen any evidence of instructions to Trinity Metro or copies of the posted files, but there is a “very, very high degree of certainty” that Trinity Metro has become NetWalker’s latest victim.
He also emphasized the hack is not Trinity Metro’s, or other victims’, fault. NetWalker and other ransomware groups target organizations “that they feel provide some kind of important service that can’t be interrupted for long.”
Hospitals, health care providers, transit authorities and banks are common targets.
“It’s just not fair to blame them as if they were at fault for a criminal wanting to target them,” Pargman said. “Just like if somebody’s house was broken into by a burglar, you don’t blame the person who had their house broken into.”
When a ransomware group targets a company in this way, the group has the option to either pay up — which Pargman discourages, but said he knows some companies cannot avoid doing so — or they can rely on backups of the data and risk the information being posted publicly.
Based on Trinity Metro’s press release that their phone systems were down, Pargman said it was clear to him that the agency knows what happened.
Ransomware groups used to focus on quietly attacking encrypted files and dealing with their victim directly, Pargman said. But recently, more criminal groups publicize the hack to put pressure on the victim to pay up quickly.
The NetWalker ransomware group has extorted other major groups for money. On June 1, the hackers attacked the University of California - San Francisco. The university recently paid the hackers $1.14 million to prevent the release of student records and other information, according to a BBC investigation. Michigan State University and Columbia College of Chicago were also hacked by NetWalker in June.
In 2019, at least 966 companies or agencies were attacked or impacted by ransomware networks at a cost of more than $7.5 billion, according to Emsisoft Malware Lab.
