This article is more than 1 year old

Ransomware crooks who broke into Merseyrail used director's email address to brag about it – report

Hasn't stopped the trains, though

Brit railway company Merseyrail is understood to have suffered a ransomware attack – and the crooks responsible reportedly pwned a director's Office 365 account to email employees and journalists about it.

News of the breach was reported by BleepingComputer, which received one of those emails.

A spokesperson for the rail operator told us in a statement: “Merseyrail was recently subject to a cyber-attack. A full investigation has been launched and relevant authorities notified. This does not affect the operation of our services, which will continue to run as advertised.”

Merseyrail's network covers 68 stations around Liverpool, Birkenhead and Southport, stretching as far south as Chester.

It was claimed that the group responsible was the Lockbit gang, a relatively new organisation. Darktrace reckoned it was first seen in 2019 and leveraged tools such as PowerShell to compromise its victims. Darktrace reckoned that Lockbit's average ransom demand was $40,000.

A model of a time bomb: electronic timer connected to sticks of dynamite

Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs


Describing a previous infection of one of its clients, Darktrace said: "The attack commenced when a cyber-criminal gained access to a single privileged credential – either through a brute-force attack on an externally facing device, as seen in previous LockBit ransomware attacks, or simply with a phishing email."

Sophos carried out a technical analysis of Lockbit back in 2020, noting that the crew refuses to target victims from the Commonwealth of Independent States (basically the old Soviet Union). When deployed it tries to kill Windows processes, including products from Norton, Symantec, Sophos, and Qihoo360 as well as backup suites. It also persists after shutdown through a registry key.

The Information Commissioner's Office said it was aware of the ransomware attack at Merseyrail, which was last voted, for the second year running, as the UK's most reliable train operator. ®

More about

More about

More about


Send us news

Other stories you might like