Cyber Incident Victim: Precise ParkLink
Date:
Mar 2019
Location:
Canada
Summary
A ransomware attack disrupted operations at a parking garage operator, causing system failures that allowed unrestricted free entry for multiple days without access card verification. The incident impacted over 1,000 parking spaces, with compromised barriers at one major entrance requiring technicians to reinstall systems, suggesting unavailable backups. Analysis identified the malware as a Dharma ransomware variant, typically deployed via brute-forced Remote Desktop Services on internet-exposed systems, indicating opportunistic rather than targeted exploitation. The attack highlighted potential security gaps in the operator's infrastructure, including inadequate anti-malware protections and patch management practices common among non-technical organizations. A ransom note referenced encrypted files with a .ETH extension and a specific contact email.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 26, 2019, ransomware infected computer systems operated by Precise ParkLink, disrupting operations at an underground parking garage used by employees of the Canadian Internet Registration Authority (CIRA). The attack rendered access control systems inoperable, allowing unrestricted entry without verification of access cards by the following morning. The compromised garage, spanning multiple city blocks with over 1,000 spaces, included an entrance at Ottawa's TD Place Stadium where barriers remained raised throughout Wednesday. This failure enabled free public parking during the outage. Forensic evidence from infected systems identified the malware as a variant of the Dharma ransomware family, characterized by a ransom note containing the email address "[email protected]" and the .ETH file extension on encrypted data. While the intrusion method wasn't conclusively established, the article noted Dharma's typical propagation through brute-force attacks on internet-exposed Remote Desktop Protocol (RDP) services, suggesting potential opportunistic exploitation of unsecured systems.
Technicians worked through Wednesday to restore functionality, with systems remaining offline that evening. A photograph provided to BleepingComputer depicted a workstation undergoing operating system reinstallation, indicating backup files were unavailable for immediate recovery. CIRA Communications Manager Spencer Callaghan acknowledged the incident in a public statement but clarified his organization had no insight into Precise ParkLink's cybersecurity protocols. He emphasized the broader trend of attackers targeting vulnerabilities in organizations regardless of size, citing inadequate anti-malware defenses and patch management as common weaknesses. Precise ParkLink did not respond to media inquiries regarding attack specifics or planned security improvements. The absence of viable decryption tools for this Dharma variant at the time left system restoration dependent on rebuilding infected devices, prolonging service disruptions for garage users.