Rail network Merseyrail recently announced it has suffered a cyberattack. The rail operator confirmed that a ransomware group utilised the companies own email systems to contact its employees and UK journalists, taking ownership of the assault.

Confirmation of a cyber strike

The Merseyrail network currently provides regular train services on routes encompassing sixty-eight different stations around Liverpool and the wider area, including Chester, Southport and the Wirral. IT help site BleepingComputer received an email from the ransomware gang responsible, who used the account of Merseyrail Director, Andy Heath, to send the message to them.

The mysterious email included a subject heading, “Lock bit Ransomware Attack and Data Theft.”

The body copy of the emails was spoofed to appear as though it had been written by the Director of Merseyrail. It commented on a recent outage of the train operator’s systems, stating that the incident had been downplayed and was in fact a serious ransomware attack. The email added that during the attack, the hackers responsible had stolen the data of both staff and customers.

As proof, the email also contained a link to a digital image displaying a personnel member’s private data, allegedly obtained in the ransomware raid.

The help site was not the only entity to receive this notification, many of the rail network’s own staff were emailed, along with several newspapers across the UK.

Investigating a ransomware attack

Following the unusual email, BleepingComputer contacted the train operator for further details.

Merseyrail replied to the inquiry:

“We can confirm that Merseyrail was recently subject to a cyber-attack. A full investigation has been launched and is continuing. In the meantime, we have notified the relevant authorities.”

When asked for further information on how the company director’s email account had been hacked, Merseyrail stated:

“It would be inappropriate for us to comment further while the investigation is underway.”

Further investigation revealed that the UK’s Information Commissioner’s Office (ICO) had been informed of the cyberattack in line with regulations. All enterprises and organisations who suffer an attack resulting in a data breach where personal information is at risk or disclosed have 72 hours following discovery of an incident to report it to the data regulator.

The ICO commented:

“Merseyrail has made us aware of an incident and we are assessing the information provided.”

In the past year, cybersecurity experts have seen active ransomware gangs become increasingly more aggressive in terms of their extortion methods.

Previous incidents of recorded ransomware attacks mainly consisted of hackers stealing a target’s information before encrypting data files in order to obtain a ransom payment. However, over time the tactics used have intensified to increase pressure on victims. Clients and journalists are contacted, threats are made to inform stock exchanges, and DDoS attacks knock victims’ websites and networks offline.

Contacting staff and members of the press, ransomware operators can cause further panic and disruption, and foil any attempts of companies to keep cyberattacks quiet. The negative publicity of being a business known for data leaks is always something enterprises are keen to avoid.