Ransomware Hit Garage Used by Canadian Internet Registration Authority

by David Bisson on March 28, 2019

The parking garage used by employees of the Canadian Internet Registration Authority (CIRA) suffered a ransomware infection.

At the end of their morning commute on 27 March, employees of CIRA arrived at a parking garage maintained by Precise Parklink. The garage typically uses Precise Parklink’s “Automated Parking Revenue Control System” to verify visitors by scanning their parking passes. But not this morning. The garage’s barriers were already up, thereby allowing anyone to drive through and get a parking space for free.

That’s weird, wonder why parking is free today.. pic.twitter.com/O4Z6V4bkEm
— David Manouchehri (@DaveManouchehri) March 27, 2019

A technical glitch wasn’t responsible for this unexpected gift of free parking. As reported by Bleeping Computer, Precise Parklink’s systems at this particular garage suffered an infection of Dharma, a family of ransomware which is known to infect computers that have Remote Desktop Services exposed on the internet. The threat specifically looks for machines running RDP and then tries to brute force its way in.

At this time, it’s unclear whether the ransomware targeted the garage’s computers or simply discovered them during its web scans.

Bleeping Computer learned that the attack took place on Tuesday but carried over into Wednesday morning as employees of CIRA, the organization responsible for maintaining Canada’s .CA country code top-level domain, arrived for work. Technicians were still working to restore the affected computers’ functionality later that evening.

One photograph shared by security analyst David Manouchehri captured the process of technicians reinstalling an affected system.

Spencer Callaghan, communications manager at CIRA, revealed that the attack did not affect the Canadian Internet Registration Authority itself. But he did note how these types of attacks have become so commonplace. As quoted in a blog post: