With the support of external experts, the Société de transport de Montréal (STM) has completed its internal investigation of the ransomware cyber attack that occurred on October 19.
Thanks to numerous IT protection investments over the past six years, the STM was able to isolate its systems within four hours and restore the 600—out of a total of 1,600—critical servers that were affected.
Following an in-depth analysis of corporate technology infrastructure, the investigation showed that the attack was made using a highly sophisticated variant of the RansomExx computer virus, which included a very high level of automation. The investigation also revealed that the STM’s other environments were not impacted. The attack did not affect bus and métro service at any time.
The STM estimates that the cost to restore its servers was $2M in goods and services, plus the cost of lost time, which still needs to be evaluated. The STM is preparing to file a claim with its insurers.
The investigation process
As soon as its computer environment was secured, the STM analysed the virus’s behaviour to understand how it operates and take action to protect the systems and prevent a potential second attack.
Next, the teams made sure that no massive data leak had occurred. The investigation confirmed that one had not. However, on November 16, the technical investigation revealed a minor automated data exfiltration caused by the virus that allowed it to explore certain technical equipment. The STM reacted so fast that the virus exfiltrated data from only five of its 6,500 computers and 38 of its servers, out of 1000. The virus entered through the desktop or trash can on these equipments.
Some low sensitivity personal information was accessed on 24 of our 11,000 employees and 72 of our 645,000 customers from our three networks (bus, métro and paratransit). The information was mostly first and last names, email addresses and phone numbers. The STM contacted the 96 individuals to inform them of the situation, reassure them that experts considered the risk to be low and offer basic advice regarding IT security for their computers.
Two of the 76 employees mentioned above had more sensitive information stolen by the hacker. They were informed quickly and offered support from a specialized firm.
The investigation’s findings now suggest that no further data were exfiltrated. In addition, no additional requests were made by the cyber attacker. The investigation is now complete: recommendations from external experts have been made, and it has been determined that all of the system components most at risk of being targeted by the hacker have been analysed. Once finished, the final report, once finished, will be sent to the police authorities involved so that they can determine the next steps in the criminal investigation.
“Thanks to rigorous preparation, investments of tens of millions of dollars and numerous improvements implemented over the past six years, the STM and its teams, who I want to thank for their hard work during this crisis, were able to isolate the attack and restore our servers, without major damage to the STM, its customers and its employees,” said Luc Tremblay, Chief Executive Officer of the STM.