{ "id": "401198fd-3e83-4702-8f98-fb963063154a", "created_at": "2026-04-06T00:10:28.520997Z", "updated_at": "2026-04-10T03:32:26.652661Z", "deleted_at": null, "sha1_hash": "f80e78ca85d53bf223e09a73a48a019c46a36397", "title": "Washington state public bus system confirms ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179119, "plain_text": "Washington state public bus system confirms ransomware attack\r\nBy Jonathan Greig\r\nPublished: 2023-03-07 · Archived: 2026-04-05 19:41:47 UTC\r\nA public transportation system serving parts of Washington state has confirmed that a ransomware attack two\r\nweeks ago disrupted some of its systems. \r\nPierce Transit — which provides bus, van and carpool services primarily to the city of Tacoma and the\r\nsurrounding Pierce County area — said the ransomware attack started on February 14 and forced the organization\r\nto put temporary workarounds in place. \r\nThe transit system serves about 18,000 people each day.\r\n“Third party forensic experts were engaged to conduct a thorough investigation into the nature and scope of the\r\nincident, and law enforcement has been notified. Importantly, our transit operations and rider safety were not\r\nimpacted as a result of this incident,” a spokesperson told The Record. \r\nThe LockBit ransomware group took credit for the attack and had demanded a ransom by February 28. The Pierce\r\nTransit spokesperson said the agency was aware that the deadline had passed. \r\n“All transportation services are operating as normal. However, temporary workarounds were put in place for\r\ncertain affected administrative systems in the initial hours and days following the incident. The majority of\r\noperations have now been fully restored,” the spokesperson said.\r\nhttps://therecord.media/pierce-transit-washington-ransomware-attack-lockbit\r\nPage 1 of 3\n\nCredit: Better Cyber\r\nThe agency is still investigating the incident and attempting to understand what sensitive data was accessed.\r\nThe organization plans to notify customers if their information was stolen and leaked by LockBit. The\r\nransomware group claimed it stole correspondence, non-disclosure agreements, customer data, contracts and\r\nmore.\r\nPierce Transit said it intends to put in place more security measures and additional cybersecurity monitoring tools\r\nto “reduce the likelihood of a similar issue reoccurring.”\r\n“As our investigation continues, we are committed to keeping our community informed, as appropriate,” the\r\nspokesperson said. \r\nPierce Transit becomes the latest transportation organization to suffer from a ransomware attack, with the San\r\nFrancisco Bay Area Rapid Transit (BART) hit with ransomware in January, its second incident in recent years.\r\nSimilar victims include the Silicon Valley-area Santa Clara Valley Transportation Authority in 2021 and the\r\nPhiladelphia-area Southeastern Pennsylvania Transportation Authority in 2020.\r\nThe transit bureau for Cape Cod, Massachusetts, took weeks to recover last year after a Memorial Day weekend\r\nransomware attack, and the Toronto Transit Commission (TTC) reported an attack in November.\r\nNew York City’s Metropolitan Transportation Authority — one of the largest transportation systems in the world\r\n— was also hacked by a group based in China. While the attack did not involve ransomware and did not cause any\r\nhttps://therecord.media/pierce-transit-washington-ransomware-attack-lockbit\r\nPage 2 of 3\n\ndamage, city officials raised alarms in a report because the attackers could have reached critical systems and may\r\nhave left backdoors inside the network.\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/pierce-transit-washington-ransomware-attack-lockbit\r\nhttps://therecord.media/pierce-transit-washington-ransomware-attack-lockbit\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/pierce-transit-washington-ransomware-attack-lockbit" ], "report_names": [ "pierce-transit-washington-ransomware-attack-lockbit" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f80e78ca85d53bf223e09a73a48a019c46a36397.pdf", "text": "https://archive.orkl.eu/f80e78ca85d53bf223e09a73a48a019c46a36397.txt", "img": "https://archive.orkl.eu/f80e78ca85d53bf223e09a73a48a019c46a36397.jpg" } }