Cyber Incident Victim: Greater Richmond Transit Company
Date:
Nov 2023
Location:
United States of America
Summary
The Greater Richmond Transit Company experienced a network disruption from a cyberattack claimed by the Play ransomware gang, which temporarily impacted certain applications and network segments. The transit operator's IT team restored systems promptly with no ongoing service interruptions, while third-party specialists investigated the incident's scope; the organization declined to confirm ransomware specifics or potential data theft. This incident aligns with broader targeting of public transit agencies by ransomware groups, including recent attacks on systems in St. Louis, Washington state, and multiple other U.S. municipalities over recent years.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Greater Richmond Transit Company (GRTC), which operates bus and specialized transportation services across Richmond, Chesterfield, and Henrico Counties in Virginia, experienced a network disruption due to a cyberattack around the Thanksgiving holiday in November 2023. The incident temporarily impacted certain applications and segments of GRTC’s computer network, though the organization’s IT staff promptly detected the issue and restored network functionality. GRTC engaged third-party cybersecurity specialists to investigate the nature and scope of the incident while assuring riders that all services resumed normal operations without anticipated additional disruptions. The transit provider, jointly owned by Richmond and Chesterfield County, facilitated over 8.7 million rides in 2022 and averaged approximately 31,200 weekday riders prior to the attack. GRTC’s spokesperson declined to confirm whether the incident involved ransomware or data exfiltration, despite external attribution of the attack.
The Play ransomware gang publicly claimed responsibility for the attack on December 7, 2023, listing GRTC on its leak site and setting a ransom payment deadline of December 13. Play’s targeting of GRTC aligned with its 2023 pattern of attacking municipal entities, including prior operations against Oakland, Dallas County, and Lowell, Massachusetts. GRTC’s incident occurred amid a broader trend of ransomware attacks against U.S. transit systems, such as the October 2023 breach of St. Louis’ Metro Call-A-Ride service and the March 2023 attack on Washington state’s transportation system. Historical precedents included ransomware incidents affecting San Francisco BART (2023 and earlier), Philadelphia’s SEPTA (2020), Toronto Transit Commission (2021), and Cape Cod’s transit bureau (2022). While GRTC restored operations rapidly, the Play gang’s involvement underscored persistent threats to critical transit infrastructure, with investigations into the attack’s full impact remaining ongoing through third-party analysts.