Auckland Transport restores Hop cards, responds to ransomware gang’s US$1m demand

A ransomware gang called Medusa has offered what it says is AT data for sale on the dark web. Image / NZ Herald

The Medusa ransomware gang is demanding US$1 million ($1.7m) for what it claims is Auckland Transport data.

But it’s got the cold shoulder from the council agency’s boss.

“AT is aware that Medusa has publicly announced a ransom for data. We have no interest in engaging with this illegal and malicious activity,” AT chief executive Dean Kimpton told the Herald.

Medusa is also offering the alleged data to anyone willing to pay US$1m if AT doesn’t jump in first.

But it could be a bluff. Brett Callow, a threat analyst with Emsisoft, notes it’s typical for a ransomware gang to offer some “taster” data - as was the case in June 2020 when sensitive F&P Appliances files, including an expenditure vs budget spreadsheet and a China Business Unit Report presentation, were offered as samplers.

“While Medusa typically posts a small number of screenshots of the exfiltrated data as proof of the attack, they have not done so in this case,” Callow told the Herald this morning, soon spotting a Medusa post on the dark web.

“It could be that they didn’t obtain any data and are attempting a shakedown,” Callow said.

“Or it could be that they believe releasing screenshots would lessen their chances of monetising the attack.”

After its Hop card system was hit by a cyber attack last Thursday, AT said indications were that it was a ransomware attack, but it has maintained throughout that there was no sign of credit card or personal information being breached.

Kimpton reiterated that this morning, saying, “At this stage, we believe that no personal or financial information has been compromised.”

New hackers on the block

Medusa first emerged in 2021 but didn’t grab headlines until this year. Callow says the group has claimed responsibility for attacks on the Crown Princess Mary Cancer Centre in Australia, Tonga Communications, and the Minneapolis public school system in an incident where sensitive student and teacher files were leaked.

The gang’s home base is not known, but ransomware gangs are typically based in Eastern Europe or Russia - thanks to a mix of computer talent, and authorities often unwilling to cooperate with Western agencies.

If so, paying a ransom could mean a $1m fine for breaking international sanctions against Russia (paying a cyber ransom is otherwise legal, even if police advise against it).

A Medusa post to the dark web.

This morning, Callow took a screen grab of a Medusa dark web post, in which the gang was demanding US$1m to delete all AT data or the same amount to download all AT data. For US$10,000 a countdown clock - down to seven hours and 19 minutes at the time of the screen grab, in an unclear timezone - could be pushed out an additional day.

The screen grab follows a common format for ransomware gangs to offer up data. The hope is that the victim will pay to download or delete their data before someone else snaffles it up. If no one bites, the countdown clock is often simply reset.

At has not commented on whether it believes Medusa is the party responsible for the attack.

Hop card top-ups should be back online today

Some Aucklanders might have quietly wanted the cyber incident to drag on for weeks - as many have before it - given it allowed them to ride for free once their Hop card balance was exhausted.

But in the event, AT has dealt with a suspected ransomware attack with uncommon speed.

AT says its Hop card system will be progressively restored over the course of today - and those with negative balances will have to pay up.

“Indications are that this is a ransomware attack,” an AT spokesman told the Herald as the Hop system was hit last Thursday.

Commuters could still use their Hop cards to tag on to buses, trains and ferries, but the top-up function was disabled - meaning they could ride for free once their Hop card’s current balance was exhausted.

By the end of today, auto top-ups should be functioning again, along with online and kiosk options.

There will be a grace period until the end of Thursday for those with negative balances.

Those with auto-tops who are in the red will see a credit card charge to put them back in the black.

AT staff will be stationed around its network this afternoon to answer queries.

The Hop card system was designed, developed and implemented by French multinational Thales, but AT said it was one of its own systems that was hit in the cyber incident.

“We take cyber security very seriously. We activated our security protocols as soon as we became aware of the incident last week and are working with our expert partners to minimise any future risk to our systems and customers’ data,” Kimpton said this morning.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.