Ransomware gang known for government attacks claims Maryland transit incident

One day after the Maryland Transit Administration confirmed that data was stolen during a cyberattack last month, a ransomware gang known for attacks on governments in the U.S. took credit for the incident. 

This week, the Maryland Transit Administration (MTA) provided an update on the situation, which came to light last month when Maryland officials said several state departments were dealing with a cyberattack affecting systems used to organize transportation for disabled people.

On Monday, the MTA confirmed that data was lost during the cyberattack. MTA spokesperson Veronica Battisti would not say how many people were affected and told Recorded Future News the agency is “unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation.”

The state’s Department of Information Technology is working with cybersecurity experts and law enforcement agencies to investigate the incident, officials said. 

On Wednesday, the Rhysida ransomware ransomware gang took credit for the attack, according to cybersecurity company VenariX, demanding a ransom of 30 bitcoin or $3.4 million. The MTA was reportedly given seven days to pay the ransom.

The ransomware gang shared samples of the data that was stolen, including what it said were passports, driver’s licenses, contracts and other documents.

While the MTA’s core transportation services — which include bus lines, subways and a light rail system — were not affected, the attack disrupted some real-time information systems and other tools used for the specialized transit service called Mobility. 

Mobility serves people who cannot get to or wait at a bus stop. The shared ride service is ordered through a website and takes people from their homes to their destination. 

Mobility service was restored through an interim call system on August 29, but the MTA would not say how long the recovery effort will take. Some buses are still not providing real-time tracking.

While the MTA figures out what data was stolen and who was impacted, the agency provided a range of actions state residents can take in advance to protect themselves. Maryland residents should watch out for phishing emails, change any passwords, use multifactor authentication and update the software used on all devices. 

One of many  

The attack on MTA the second alleged ransomware incident involving a state government this week, after the INC ransomware gang took credit for a breach of Pennsylvania’s attorney general office. 

Rhysida has devastated several city and state governments across the U.S. since emerging in 2023. Attacks on the city governments in Seattle and Columbus, Ohio  disrupted critical services and caused chaos. 

The group has also attacked multiple national government departments in Kuwait, Portugal and the Dominican Republic while showing no reticence in attacking children’s hospitals, prominent healthcare networks, Christian charities and libraries. 

Last year, Rhysida attacked Maryland’s Prince George’s County Public Schools district, exposing the personal information of nearly 100,000 people.