Medusa Ransomware Disrupts Kansas City Public Transportation Authority


January 29, 2024

World map

The Kansas City Area Transportation Authority (KCATA) announced it was the victim of an attack claimed by the Medusa ransomware gang.  

Several services have had their communications lines disrupted, including RideKC, Freedom and Freedom-On-Demand Paratransit which serves customers requiring medical transport.

Medusa operators are demanding $2,000,000 and gave KCATA just ten days to negotiate payment or face the possibility that sensitive data exfiltrated in the attack would be exposed publicly.

“A significant concern in ransomware incidents is the possibility of data theft, including personal and payment details of customers, which in this case would expose many people using KCATA services,” Bleeping Computer reports.

“The agency has not elaborated on the possibility of registered members and pass holders having had their sensitive information exposed to cybercriminals.”

Medusa operators gave KCATA the option to extend the ransom deadline at a cost of $100,000 per day.

Takeaway: At some point, these ransomware attacks are going to cross the line from cybercriminal activity to a national security event, especially when we are talking about attacks on critical infrastructure and public entities.

We know rogue nations tacitly or directly support and/or control these ransomware operators to an extent, and these attacks are starting to look more and more like state-sponsored terrorism, and perhaps we should be addressing them as such.

The attack on KCATA highlights two of the more concerning issues regarding the impact of ransomware attacks: the exposure of sensitive data and potential for fraud, and an increase in negative outcomes for patients.

Even if this attack is easily resolved and systems restored to normal without having made a ransom payment, KCATA staff and customers whose personal information was stolen will continue to be at risk of identity theft and financial fraud into the unforeseeable future.  

But worse yet, the attack could put patients who depend on KCATA for transport to medical appointments at significant risk of harm if the appointments have to be rescheduled and due to lack of transportation.

A recent study found that 68% of healthcare professionals surveyed said ransomware attacks resulted in a disruption to patient care. As well, 43% said data exfiltration during the attack also negatively impacted patient care, with 46% noting increased mortality rates and 38% noting more complications in medical procedures following an attack.

While the authorities can assist organizations after they have been victimized, taking measures to ensure the organization is prepared to defend against a ransomware attack will come from the organizations themselves.

Organizations should not hold out any hope that the government will be able to offer anything in the way of preventative protection beyond offering the most basic advice – keep systems updated, run endpoint protection software, conduct tabletop exercises, etc.

We are seeing more tactics and techniques employed by ransomware operators that were once only observed in state-sponsored operations.

The US government needs to stop letting organizations just to just fend for themselves; they need more than guidelines, best practices and frameworks.  

Organizations in both the public and private sectors desperately need significant intervention by the federal government to protect them from what are known to be nation-state-associated threat actors who are fleecing Americans of hundreds of billions of dollars a year and potentially putting their lives at risk. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.