Cyber Incident Victim: Trinity Metro
Date:
Jul 2020
Location:
United States of America
Summary
The Trinity Metro transit agency suffered a ransomware attack by the NetWalker group, compromising sensitive data including vendor documents, passenger information systems, and internal access files. Attackers encrypted systems, disrupting phone lines and booking operations while threatening public release of stolen data through a dark web countdown timer unless ransom demands were met. The group showcased proof of exfiltration via screenshots on their dark web platform, employing psychological pressure tactics previously used against other institutions to coerce payment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 1, 2020, the NetWalker ransomware group compromised Trinity Metro, the public transit agency serving Fort Worth, Texas. The attack disrupted critical operational systems, including phone lines and booking platforms, impairing normal service functions. NetWalker exfiltrated sensitive data from Trinity Metro’s networks before encrypting files, a tactic consistent with the group’s double-extortion strategy. The stolen data included vendor tax documents (labeled "Vendor W9s"), passenger information system files, and database-related materials ("ACCESS stuff"), as evidenced by screenshots later published by the attackers. NetWalker issued a ransom demand, threatening to publicly release the stolen data if payment was not made. The group intensified pressure by hosting a countdown timer on their dark web blog, explicitly stating that once the timer expired, the files would be made accessible worldwide for unrestricted download. This mirrored NetWalker’s prior attacks against Michigan State University and a California medical school, reinforcing their pattern of targeting public-sector entities.
The attackers publicly claimed responsibility for the breach on their dark web platform, a known hub for distributing stolen data and coordinating ransomware operations. They posted screenshots of Trinity Metro’s encrypted files as proof of compromise, leveraging the fear of data exposure to coerce payment. The published file listings indicated the theft of hundreds of documents containing sensitive operational, financial, and passenger-related information. No details regarding Trinity Metro’s containment efforts, ransom negotiations, or system recovery processes were disclosed in the available source material. The incident highlighted NetWalker’s operational sophistication, including their use of dark web infrastructure for psychological coercion and data dissemination. Consequences extended beyond immediate service disruptions, with potential long-term risks from the exposure of vendor and passenger data. The countdown mechanism exemplified a broader trend among ransomware groups to accelerate victim compliance through transparent deadlines.