{
	"id": "3da9457d-2d87-4d5e-8407-05358f9323a7",
	"created_at": "2026-04-06T00:22:23.203903Z",
	"updated_at": "2026-04-10T03:20:30.450994Z",
	"deleted_at": null,
	"sha1_hash": "c24ede6e21b7b8b582ee7d15fde68825623cceb6",
	"title": "Metro Vancouver's transit system hit by Egregor ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3002327,
	"plain_text": "Metro Vancouver's transit system hit by Egregor ransomware\r\nBy Lawrence Abrams\r\nPublished: 2020-12-04 · Archived: 2026-04-05 12:57:03 UTC\r\nThe Egregor ransomware operation has breached Metro Vancouver’s transportation agency TransLink with the cyberattack\r\ncausing disruptions in services and payment systems.\r\nOn December 1st, TransLink's announced that they were having issues with their information technology systems that\r\naffected phones, online services, and the ability to pay for fares using a credit card or debit card. All transit services were\r\nunaffected by the IT problems.\r\nAfter restoring the payment systems, TransLink issued a statement disclosing that a ransomware attack caused the IT\r\nproblems.\r\nhttps://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure.\r\nThis attack includes communications to TransLink through a printed message,\" TransLink disclosed in a statement.\r\nEgregor ransomware was behind TransLink's attack\r\nGlobal BC reporter Jordan Armstrong tweeted a picture of the ransom note and stated that TransLink printers were\r\nrepeatedly printing ransom notes.\r\nFrom the picture of the ransom note, BleepingComputer can confirm that it was the Egregor ransomware operation behind\r\nthe attack.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731 or on Wire at @lawrenceabrams-bc.\r\nEgregor is also the only ransomware known to run scripts that print bomb ransom notes to available printers, as described by\r\nArmstrong in his tweet. The Egregor gang performed this same tactic during a recent Cencosud cyberattack, where receipt\r\nprinters began repeatedly printing ransom notes to draw public attention to the attack.\r\nEgregor is a new organized cybercrime operation that partners with affiliates to hack into networks and deploy their\r\nransomware. As part of this arrangement, affiliates earn 70% of ransom payments they generate, and the Egregor operators\r\nmake a 30% revenue share.\r\nThe affiliates who compromise a network are known to steal unencrypted files before encrypting devices with the Egregor\r\nransomware. The hackers then use these stolen files as further leverage by telling victims they will be publicly released if a\r\nransom is not paid.\r\nThis ransomware gang began operating in September 2020 after another ransomware group known as Maze shut down their\r\noperation. Threat actors told BleepingComputer that many of the affiliates that worked with Maze moved over to Egregor,\r\nwhich allowed the new operation to amass many victims quickly.\r\nThese attacks include numerous high-profile companies worldwide, including Kmart, Cencosud, Crytek, Ubisoft,\r\nand Barnes and Noble.\r\nThx to Jack Zhang for the tip!\r\nhttps://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/"
	],
	"report_names": [
		"metro-vancouvers-transit-system-hit-by-egregor-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c24ede6e21b7b8b582ee7d15fde68825623cceb6.pdf",
		"text": "https://archive.orkl.eu/c24ede6e21b7b8b582ee7d15fde68825623cceb6.txt",
		"img": "https://archive.orkl.eu/c24ede6e21b7b8b582ee7d15fde68825623cceb6.jpg"
	}
}