Some Aucklanders might have quietly wanted it to drag on for weeks - as many cyber incidents have.

But in the event, Auckland Transport has dealt with a suspected ransomware attack quickly.

The free ride is over.

AT says its Hop card system will be progressively restored over the course of today - and those with negative balances will have to pay up.

“Indications are that this is a ransomware attack,” an AT spokesman told the Herald as the Hop system was hit last Thursday.

Commuters could still use their Hop cards to tag on to buses, trains and ferries, but the top-up function was disabled - meaning they could ride for free once their Hop card’s current balance was exhausted.

By the end of today, auto top-ups should be functioning again, along with online and kiosk options.

There will be a grace period until the end of Thursday for those with negative balances.

Those with auto-tops who are in the red will see a credit card charge to put them back in the black.

‘AT data’ for sale on dark web

One wrinkle is that a ransomware gang called Medusa has offered what it says is AT data for sale on the dark web.

Brett Callow, a threat analyst with New Zealand-based security firm Emsisoft, took a screen grab of Medusa demanding US$1 million (NZ$1.69m) to delete all AT data or the same amount to download all AT data. For US$10,000 a countdown clock - down to seven hours and 19 minutes at the time of the screen grab, in an unclear timezone - could be pushed out an additional day.

The screen grab follows a common format for ransomware gangs to offer up data. The hope is that the victim will pay to download or delete their data before someone else snaffles it up.

A Medusa post to the dark web.

Medusa is a bona fide hacker group, that Callow says was responsible for attacks on the Crown Princess Mary Cancer Centre in Australia, Tonga Communications, and the Minneapolis public school system in an incident where sensitive student and teacher files were leaked.

It’s not clear if the gang actually has AT files, or if it’s just hoping a “dazed and confused” large organisation will fork over money.

If there’s no payment in such situations, it’s common for a clock to simply be reset.

The usual practice after a genuine heist is for a ransomware group to offer “taster data” - as was the case in June 2020 when sensitive F&P Appliances files, including an expenditure vs budget spreadsheet and a China Business Unit Report presentation, were offered as a sampler.

“While Medusa typically posts a small number of screenshots of the exfiltrated data as proof of the attack, they have not done so in this case,” Callow told the Herald this morning, soon after forwarding the screen grab.

“Why is impossible to say. It could be that they didn’t obtain any data and are attempting a shakedown,” Callow said.

“Or it could be that they believe releasing screenshots would lessen their chances of monetising the attack.”

Over the weekend, AT reiterated that there was no indication that any credit card or personal data had been compromised.

The Hop card system was designed, developed and implemented by French multinational Thales, but AT said it was one of its own systems that was hit in the cyber incident. Its investigations continue.

