The parking garage used by employees of the Canadian Internet Records Authority (CIRA) allowed people to park for free after computer systems were infected with ransomware.
CIRA is a not-for-profit organization that manages the country code top-level domain (ccTLD) .CA and represents Canadian domains internationally.
The attack hits a huge parking lot
The attack took place on Tuesday, but the problem persisted the next day when computer systems allowed CIRA employees to enter without verification of access cards. The person responsible for the temporary fast pass appears to be a strain of the Dharma ransomware family.
The underground garage spans a few blocks and has over 1,000 spaces available. One of the entrances is at TD Place Stadium, where the barriers were put up on Wednesday morning and everyone could get a parking spot for free.
It’s weird, I wonder why parking is free today. pic.twitter.com/O4Z6V4bkEm
– David Manouchehri (@DaveManouchehri) March 27, 2019
As of Wednesday evening, the parking systems at TD Place stadium were still out of order as technicians scrambled to restore functionality.
An image sent to BleepingComputer by security analyst David Manouchehri shows a computer system being reinstalled, indicating that the backup files were not available.
The huge parking space is operated by the private company Precise ParkLink, so the attack is confined to its systems.
CIRA communications manager Spencer Callaghan said in a blog post that his organization has no knowledge of the parking company’s cybersecurity measures, but he pointed out that many companies do not install anti-malware solutions and did not have a formal patch policy.
“Hackers are starting to exploit these loopholes in businesses of all sizes and in all industries. The problem is no longer exclusive to large companies or data-rich organizations. The tools used by hackers are cheap, easy to find and simple to use, which makes hacking for fun or profit easier than ever, ”Callaghan said.
BleepingComputer has contacted the parking operator to learn more about the attack and the steps taken to prevent cyber incidents in the future, but has not received a response at the time of posting.
The ransom note displayed on the screens of infected systems points to Dharma ransomware. In addition, the “[email protected]” email address in the message indicates that the variant uses the .ETH extension on encrypted files.
Dharma ransomware is typically installed manually on systems where Remote Desktop Services are exposed over the Internet. Attackers scour the web for computers running RDP and try to force their way.
If the method was used in the case of Precise ParkLink, it is possible that this was not a targeted attack and that the hackers simply infected vulnerable computers discovered during the scanning process.
At the moment, there is no free decryption tool for Dharma ransomware. However, keeping regular backups in a safe place ensures fast recovery of affected systems.