Connect with us

Hi, what are you looking for?



Ransomware Attack on UK Rail System – Spray and Pray or Targeted?

Northern Rail, one of the UK’s local railway systems covering the north of England, had its new self-service ticketing machines taken off-line following a ransomware attack last week.

Northern Rail, one of the UK’s local railway systems covering the north of England, had its new self-service ticketing machines taken off-line following a ransomware attack last week.

Railways in the UK are operated under a licensed franchise system following the breakup of the state-owned British Rail, which was privatized gradually from 1994 to 1997. The rail infrastructure is owned and managed by Network Rail, described as an ‘arm’s length’ public body of the Department of Transport – but the rail services are operated by private companies under license to the government.

The government exercised its rights last year. Northern Rail was at the time operated by Arriva Rail North, but the service was taken over (or taken back) by the government after a series of problems including delays and cancellations to services.

Northern Rail is effectively government owned. The self-service, touchscreen, tablet-like ticketing machines (approximately 600+) were bought and paid for with government funds (around £17 million), and installed in about 420 stations across the network. This means that there is zero chance of any ransom being paid. If this were a targeted attack, the attackers would have known this.

The implication – which is just conjecture since no details have yet been released – is that this was a spray and pray attack which resulted in ransomware being delivered simply because it was possible. This in turn should remind SMEs that they are still subject to ransomware attacks even if they don’t consider themselves to be an attractive target.

The ticketing machines were provided by Flowbird Transport Intelligence, and installation was completed in May 2021. Northern Rail has provided no information on the problem. A travel alert on its website merely says, “We are currently experiencing technical difficulties with our self-service ticket machines which mean all have to be taken off-line. We are investigating the issue and are working hard…”

There was no disruption to rail services, and tickets could still be purchased manually at ticket offices.

Advertisement. Scroll to continue reading.

Flowbird has provided more information to the BBC. It told the BBC that the problem was first identified through cyber monitoring systems. “We immediately instigated our major incident procedure in order to protect other parts of the network and our checks have shown there has been no compromise to any personal data,” a spokesperson said.

This is an important comment, since the ticketing machines accept card payment for the tickets they dispense. If accurate, it lends further credence to the idea that this was a commodity level ransomware attack, rather than a sophisticated targeted attack. (That idea will need to be revised if it turns out the attackers were resident longer than expected, that payment details were stolen, and the ransomware deployed to cover tracks.)

Andy Norton, European cyber risk officer at Armis, commented, “Given how recent the installation was, it would appear some basic security mechanisms are missing from the recent deployment. The ticketing system is likely Android based, and there is a small number of ransomware families that specifically target Android devices. Rail networks are considered critical infrastructure under the NIS legislation and so, a risk assessment of the new Ticketing system should have been undertaken and this risk assessment should have included the risk of cyberattack with mitigating controls.”

Related: Details Emerge on Iranian Railroad Cyberattack

Related: Ransomware Attack Disrupts San Francisco Rail System

Related: Railway Cybersecurity Firm Cervello Raises $4.5 Million

Related: Overcoming Security Challenges in the Transport and Logistics Sector

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...