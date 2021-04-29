BACKGROUND
UK rail network, Merseyrail has confirmed that it has been targeted by cyberattackers. The cybercriminals used its email system to notify employees and journalists about the ransomware, deemed to be Lockbit after finding an email from the 18th of April with the subject: “Lockbit ransomware attack and Data Theft”.
The situation is currently under investigation, but a few cybersecurity experts have offered their insights below:
Experts Comments
Yet another critical infrastructure provider impacted by a ransomware attack. It’s not known at this point if rail industrial control systems have been infiltrated, but certain aspects of the IT infrastructure have been compromised.
The department for transport has published guidance for rail operators to implement cyber resilience and reference the International standard IEC62443. In addition, critical infrastructure is subject to the UK transposition of the NIS regulation which is best implemented by the adoption of the NCSC CAF 3.0. Either way, there are some pretty uncomfortable questions that will be asked. What measures did you undertake to ensure your Risk Assessment was adequate? And, How do you validate your defenses are appropriate and proportionate? Both fundamental requirements for due diligent governance.Read Less
Ransomware attacks are among the fastest-growing cyber threats (one report projected that 2021 will see companies fall victim to an attack every 11 seconds). This is of particular concern for providers of crucial services such as Merseyrail, upon whom thousands of people rely for transportation into work.
While the scale of this cyberattack has not yet been widely disclosed, if frontline services were to be affected, an attack such as this could have serious economic ramifications for both Merseyrail and the wider region. It is also concerning that the ransomware gang were able to access Merseyrail's email systems, and allegedly steal data in what would seem is an example of a worrying new trend of double extortion ransomware attacks.
The first and most important thing to do when you've been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and remove external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data.Read Less
