Merseyrail is a rail company located in the United Kingdom that employs around 1,200 people with 68 stations all over the Liverpool City Region, along with four underground stations in the city centre. It operates over 600 services per day for every 15 minutes was named one of the top 3 rail companies in the United Kingdom in recognition of its service and commitment to the environment.
Recently, Merseyrail confirmed that they suffered a cyber-attack from a ransomware group after third parties received an inexplicable email on April 18th.
The threat actors behind the attack used the Merseyrail email system to announce that the company had suffered a cyber-attack. The email was sent to the employees, several United Kingdom newspapers, and journalists on April 18th with an email subject, “Lock bit Ransomware Attack and Data Theft. Threat actors pretended to be Merseyrail’s Director. They used the Director’s @merseyrail.org Office 365 email account to inform the employees and other parties that the weekend’s outage was downplayed. The company has suffered a ransomware attack that results in the stolen data of employees and customers. In addition, the email also contains an image showing the personal information of an employee that considers being one of the stolen data. The detail of the attack is not yet disclosed as the investigations are still ongoing.
Lock bit, the threat actor behind the attack
The Lock bit ransomware functions as a ransomware-as-a-service (RaaS) that targets mid to large enterprises and government organizations. It demands financial payment in trade for decryption and threatens the victim organization for operations disruptions, extortion, and data theft, and illegal publication.
As it works as a RaaS, the ransomware developers will lease the ransomware variants to the attacking parties. Payments are divided between the Lock bit developer and attacking partners who will obtain up to ¾ of the ransom amount. The first recorded attack of Lock bit ransomware was in September 2019 under the name of the .abcd virus and considered part of the malware family “LockerGoga and MegaCortex.”
Once the attacker successfully infected the single host, the Lock bit ransomware has a unique capability to look for another available host that can be attached with the infected host and distribute the malware using a script. It can automatically self-propagate the malware within the organization and disguise the executable encrypting file as a. PNG image format.
The standard attack vectors used by the Lock bit threat actors are Remote Desktop Protocol (RDP), Phishing emails, and software/hardware vulnerability. The threat actors continuously add new capabilities to the Lock bit malware and are determined to conduct more attacks in the future.