{
	"id": "3246a50d-b402-4d11-88e4-9b1a2d94e23a",
	"created_at": "2026-04-06T00:17:39.340291Z",
	"updated_at": "2026-04-10T13:12:31.932742Z",
	"deleted_at": null,
	"sha1_hash": "c9646ba4ed922915f84c81a445c7571b26eb9c29",
	"title": "UK rail network Merseyrail likely hit by Lockbit ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3560168,
	"plain_text": "UK rail network Merseyrail likely hit by Lockbit ransomware\r\nBy Lawrence Abrams\r\nPublished: 2021-04-28 · Archived: 2026-04-05 21:18:52 UTC\r\nUK rail network Merseyrail has confirmed a cyberattack after a ransomware gang used their email system to email\r\nemployees and journalists about the attack.\r\nMerseyrail is a UK rail network that provides train service through sixty-eight stations in the Liverpool City Region in\r\nEngland.\r\n\"We can confirm that Merseyrail was recently subject to a cyber-attack. A full investigation has been launched and is\r\ncontinuing. In the meantime, we have notified the relevant authorities,\" Merseyrail told BleepingComputer yesterday after\r\nwe received a mysterious email earlier this month from the account of Andy Heath, the Director of Merseyrail.\r\nhttps://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nRansomware gang uses Merseyrail's email system against them\r\nWhile the cyberattack has not been publicly disclosed, BleepingComputer learned of the attack after receiving a strange\r\nemail on April 18th from Heith's email account with the mail subject, \"Lockbit Ransomware Attack and Data Theft.\"\r\nThis email was sent to BleepingComputer, various UK newspapers, and the staff of Merseyrail in what appears to be a\r\ntakeover of the Director's @merseyrail.org Office 365 email account by the Lockbit Ransomware gang.\r\nIn this email, the threat actors pretended to be Merseyrail's Director telling employees that a previous weekend's outage was\r\ndownplayed and that they suffered a ransomware attack where the hackers stole employee and customer data.\r\nIncluded in the email is a link to an image showing an employee's personal information that Lockbit allegedly stole during\r\nthe attack.\r\nAfter numerous attempts to contact Merseryrail and confirm the attack, we finally received the rail network's statement last\r\nnight.\r\n\"It would be inappropriate for us to comment further while the investigation is underway,\" Merseyrail told\r\nBleepingComputer when we questioned how the Director's email was compromised.\r\nIn response to our queries, the UK Information Commissioner's Office (ICO) also confirmed that Merseyrail made them\r\naware of the \"incident.\"\r\n\"Merseyrail has made us aware of an incident and we are assessing the information provided,\" the ICO told\r\nBleepingComputer via email.\r\nRansomware gangs aggressively extort victims\r\nOver the past year, ransomware gangs have become increasingly aggressive in their extortion tactics.\r\nIn the past, ransomware attacks consisted of threat actors stealing victims' data and then encrypting their files to force a\r\nransom payment.\r\nOver time, threat actor's tactics have escalated to performing DDoS attacks on victims' networks and websites, emailing\r\ncustomers and journalists, and threatening to contact stock exchanges.\r\nSadly, while these attacks are ongoing, the employees and customers are usually the last to know what is happening with\r\ntheir data and organization.\r\nUsing a victim's email system to promote their attacks to both employees, journalists, and customers could turn that on its\r\nhead.\r\nhttps://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/"
	],
	"report_names": [
		"uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9646ba4ed922915f84c81a445c7571b26eb9c29.pdf",
		"text": "https://archive.orkl.eu/c9646ba4ed922915f84c81a445c7571b26eb9c29.txt",
		"img": "https://archive.orkl.eu/c9646ba4ed922915f84c81a445c7571b26eb9c29.jpg"
	}
}