Ransomware Attack on The Transit Authority of Northern Kentucky (TANK) by Akira Group

The Transit Authority of Northern Kentucky (TANK), a public transportation system serving the Northern Kentucky suburbs of Cincinnati, Ohio, has recently fallen victim to a ransomware attack by the Akira group. This incident has raised significant concerns about the security of TANK's information systems and the potential impact on both employees and customers.

About TANK

Established in 1973, TANK was created through public funding to ensure continued transit services in the Northern Kentucky region, specifically in Kenton, Boone, and Campbell counties. The authority operates a fleet of 107 buses, providing both fixed-route and paratransit services, with a daily ridership of approximately 6,500, totaling about 2.1 million rides annually. TANK employs between 201-500 employees and is headquartered in Fort Wright, Kentucky.

TANK stands out for its comprehensive service coverage and integration with other regional transit systems, including the Southwest Ohio Regional Transit Authority (SORTA). This interconnectivity enhances the overall transit network in the Greater Cincinnati metropolitan area. The agency has also been updating its fleet with newer models, including hybrid electric vehicles, demonstrating a commitment to modernizing its services.

Attack Overview

The Akira ransomware group has claimed responsibility for the attack on TANK via their dark web leak site. The attackers allege to have infiltrated TANK's systems and accessed a range of sensitive data, including employee personal information, confidential agreements, contracts, incident reports, and some customer data. This breach highlights vulnerabilities in TANK's information systems, making it a target for sophisticated threat actors.

About Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code.

Akira operators use double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Their ransom demands typically range from $200,000 to over $4 million. The group is known for its unique dark web leak site with a retro 1980s-style interface. Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have also been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration.

Penetration Methods

Akira's penetration methods often involve exploiting vulnerabilities in VPNs and other remote access systems. They gain unauthorized access through credential theft and then move laterally within the network to deploy the ransomware. In some cases, Akira has been seen deploying a previously unreported backdoor, further complicating detection and mitigation efforts.

• TANK Official Website
• Wikipedia - Transit Authority of Northern Kentucky
• Trend Micro - Ransomware Spotlight: Akira
• Sophos News - Akira Ransomware
• Tripwire - Akira Ransomware: What You Need to Know