The Pierce County Public Transportation Benefit Area Corporation (Pierce Transit) has fallen victim to a cyberattack using LockBit ransomware. Pierce Transit is a public transit operator in Washington state.
The attack began on February 14, 2023, and required Pierce Transit to implement temporary workarounds, to maintain the service of the transit system which transports around 18,000 people every day.
Based on the number of known attacks, Lockbit has been the most widely used ransomware-as-a-service (RaaS) for some time now. It accounted for almost a third of all known RaaS attacks last year, peaking at almost half of all known ransomware attacks in September 2022. The largest ransom demand it made in 2022 was a staggering $50 million. And it hasn’t tempered its ambitions in 2023—last month it tried to get $80 million out of UK’s Royal Mail, but was politely shown the door by its negotiator.
On February 28, the LockBit ransomware group published details of the attack on Pierce Transit, along with a public demand for just shy of $2 million in return for the stolen data. Publishing data like this is normally a sign that negotiations have broken down or that the victim does not intend to pay. The ransomware group claims to have stolen contracts, client information, non-disclosure agreements, correspondence, and more, all of which are now on sale.
The eye-watering ransom demand is just one of the costs of an attack like this. Even if a ransomware victim pays for a decryption key, it takes time to restore systems and the total damages are almost always a multiple of the ransom.
According to The Record, The incident has been reported to law enforcement agencies, and forensic experts were brought in to investigate the nature and scope of the event. If it turns out that LockBit managed to steal and leak client information, the company intends to let them know. A spokeswoman stated:
“We are dedicated to informing our community, as appropriate, as our inquiry progresses.”
The majority of its operations have now been fully restored and Pierce Transit says it plans to implement new cybersecurity monitoring tools and security measures.
Public transportation is an essential service and any long-term disruption of its internal networks could have a devastating effect on the people who rely on it to get to school, their work, or medical appointments.
Thankfully, Pierce Transit managed to keep operations going, but undoubtedly there will be financial losses resulting from system failure and damage restoration in the short- and long-term.
Ransomware-as-a-service is the most lucrative and dangerous form of cybercrime. Individual attacks can bring entire organizations to a halt and raise multi-million-dollar ransoms. You can learn more about LockBit and the danger it poses to your organization in our 2023 State of Malware report.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.