The ransomware was confirmed by Merseyrail, which provides train service through sixty-eight stations in the Liverpool City Region, after its email system was found to have been used to email employees and journalists about the attack.
Using the subject line ‘Lockbit Ransomware Attack and Data Theft’, the emails were found to be from the account of Andy Heath, director of Merseyrail.
The message sent told employees that a previous weekend’s outage was downplayed, and that they suffered a ransomware attack where the hackers stole employee and customer data.
Included in an email was a link to an image showing an employee’s personal information that Lockbit allegedly stole during the attack.
In a statement to BleepingComputer, Merseyrail said: “We can confirm that Merseyrail was recently subject to a cyber attack.
“A full investigation has been launched and is continuing. In the meantime, we have notified the relevant authorities.”
The Information Commissioner’s Office (ICO) has also confirmed that Merseyrail made them aware of the “incident.”
Comparing different AI approaches to email security
In response, Paul Norris, senior systems engineer at Tripwire, said: “We should hope that Merseyrail is prepared to respond to ransomware, including the potential operational disruptions that come with that response. But while we tend to focus on the response to ransomware, prevention is still the best way to deal with the threat.
“Ransomware doesn’t magically appear on systems, and the methods by which it’s introduced into an environment are generally well understood: phishing, vulnerability exploits, and misconfigurations, which is why hardening systems helps to safeguard the integrity of your digital assets and protect against vulnerabilities.”
Brian Higgins, security specialist at Comparitech, commented: “This kind of extortion strategy is becoming ever more common in cases of ransomware. Not content with encrypting data and demanding money, criminals have caught on to the fact that if their successful breaches are made public before their victims can implement any incident response plans they have an extra layer of leverage to encourage payment more quickly.
“Whether it’s contacting potentially affected customers and/or staff, or notifying the media (both of which tactics appear to have been used in this case), the added pressure to resolve the issue can often force victim organisations to bypass security policies and pay up.
“It would appear that, in this particular instance, Merseyrail are holding their nerve and following industry standard protocols instead. It takes corporate courage to back up your data, inform the relevant authorities and keep hold of your cash.
“I hope Merseyrail come out of this successfuly and provide a case-study of good practice for future cyber crime victims.”