PROVIDENCE, R.I. (WPRI) — The ransom note the Rhode Island Public Transit Authority received on Aug. 5 began with a chilling statement.
“All of your files are currently encrypted by Conti strain,” the cyberhackers wrote.
The next day, RIPTA hired Coveware Inc., a firm that helps entities recover hacked data, according to new documents obtained by Target 12 through a public records request. The released records also showed the ransom note from Conti, a hacker group with Russian ties.
“We’ve downloaded a pack of your data and are ready to publish it on out (sic) news website if you do not respond,” they wrote.
RIPTA ended up paying Conti a $170,000 ransom on Aug. 12.
In its Internet Crime Report 2021, the FBI listed Conti as having the top ransomware for victimizing U.S. infrastructure with 87 incidents last year.
Patrick Laverty, a cybersecurity expert at Social Engineer LLC, explained ransomware in simple terms.
“Ransomware often comes in first by something as simple as employees clicking on a link,” he said. “And then once they have access to all the data, they’re going to lock it up so you need a password in order to access it again.”
In the ransom note, after Conti explained why RIPTA wouldn’t be able to access its data without contacting Conti directly, the hackers sought to prove they had RIPTA’s sensitive information — including social security numbers — writing: “To make sure that we really can get your data back — we offer you to decrypt 2 random files completely free of charge.”
Beyond that, Laverty said the ransom note is similar to others he’s seen, right down to the threat at the end.
RIPTA Cristy Raposo Perry told Target 12 in a statement: “RIPTA is not aware of any information relating to this incident being released on the dark web.”
FBI spokesperson Kristen Setera said, “The FBI encourages ransomware victims to not pay a hacker’s ransom demand. This is because payment (1) encourages continued criminal activity, (2) there is no guarantee the hacker will decrypt a victim’s files, and (3) affected files can sometimes become corrupted from encryption, thereby rendering them unrecoverable.”
Setera said the FBI’s Boston division, which oversees all of Massachusetts, Maine, New Hampshire, and Rhode Island, receives at least two to three reports a week from new victims, and the agency estimates “the actual rate of infection is much higher than what is reported to us.”
RIPTA has previously stated it took until Oct. 28 to determine whose information was compromised.
RIPTA sent letters to 22,000 affected state employees – both current and retired – notifying them and their families that suspected criminals accessed files related to the state’s health insurance billing plan which contained their personal information.
The R.I. Attorney General’s office is actively investigating the security breach. Lawmakers have raised questions about the time it took RIPTA to share information about the hack with those affected, with multiple bills filed to require faster notification.