Kansas bus agency KCATA discloses ransomware attack, Medusa group demands $2 million ransom

The Kansas City Area Transportation Authority (KCATA) has disclosed a ransom cyber-attack that took place on Tuesday, Jan. 23, resulting in communication disruptions. The Medusa ransomware group has claimed responsibility for the attack and has posted alleged data samples from KCATA on their extortion portal on the dark web.

The ransomware gang is reported to have added the KCATA to its Tor leak site and published samples of the alleged stolen data as proof of the data breach. The ransomware gang threatens to release all the stolen data unless the company pays a US$2 million ransom. The Medusa group also offers the victims the option to extend the deadline by paying $100,000 per day.

The transport agency has promptly notified the relevant authorities, including the FBI (Federal Bureau of Investigation). It, however, did not disclose the nature of the systems affected, the number of systems affected, the ransomware family that compromised its systems, or whether a data breach occurred.

“All service is operating, including fixed-route buses, Freedom and Freedom-On-Demand paratransit service,” KCATA said in a news statement.

Following the ransomware attack targeting its communications systems, KCATA said that the primary customer impact is that regional RideKC call centers cannot receive calls, nor can any KCATA landline. 

The agency called upon Freedom and Freedom-On-Demand Paratransit customers who want to schedule a trip to contact various numbers based on their location: – KCMO & Independence: 816-512-5563; Wyandotte County: 913-573-8351; and Johnson County: 913-362-3500. In addition, fixed-route bus customers can access bus schedule information by visiting RideKC.org or using the Transit app.

The notice added that the KCATA is “working around the clock with our outside cyber professionals and will have systems back up and running as soon as possible.”

Last July, U.S. agencies issued a joint cybersecurity advisory providing information on the MedusaLocker ransomware, including recent activity observed in May. The hackers predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks, encrypt the victim’s data, and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address.

The KCATA ransomware attack comes a few days after Veolia North America’s Municipal Water division reported that it experienced a ransomware incident that has impacted certain software applications and systems. In response, the company’s IT and security incident response teams have swiftly mobilized and are actively collaborating with law enforcement and other third parties to investigate and resolve the incident. Similarly, Southern Water, a U.K. water company, has acknowledged that cybercriminals have claimed to have stolen data from some of their IT systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.