MONTREAL -- Hackers demanded US$2.8 million from the STM in their recent cyberattack, the transit corporation said today, 10 days after the attack took its website offline.

The STM said it's not paying the "ransom," which was demanded in exchange for the release of encrypted servers.

“The STM maintains its decision not to act on this request,” it said in a statement on Thursday, after finally making contact with the hackers. 

The amount they demanded adds up to just over CAD$3.7 million.

The attack occurred as a result of a phishing email, according to the STM -- an unsuspecting employee likely clicked on a link containing malicious malware, believed to be called RansomExx.

The same ransomware was used in multiple large-scale attacks in the U.S. over the summer, including the Texas Department of Transportation.

One thousand of the STM’s 1,600 servers were affected by the attack, including 624 "operationally sensitive" servers, according to its statement.

“Seventy-seven per cent of those have already been recovered, thanks to the hard work of our IT teams,” the STM said.


The transit authority maintained that no data was stolen during the attack. But it may be too early to know if that statement is true, according to experts.

“I would not be surprised if in a few months from now, somewhere on the dark net, you’ll see an active stash of information stolen from the STM,” said Steve Waterhouse, former Information Systems Security Officer for National Defence, in an interview with CTV News.

“In most of these ransomware attacks recently,” he said, hackers “go inside and stay inside as a persistent threat, document everything, pick up a few crunchy files, and escape.”

It’s only then that hackers “put up a smokescreen” creating the illusion of a ransomware attack, he said.

“They ask for the ransom in the forefront, then come back later and ask for a second ransom,” he said.

“They have the files they can show the company and say 'If you don’t want these distributed on the Internet, let’s'”


The October 19 attack had serious consequences beyond shutting down the STM's website.

It also shut down the system's paratransit booking system for more than a week, leaving many with mobility issues stranded. That service has since been restored, according to the STM.

The pay system for overtime and bonuses was also briefly affected, but the STM said it’s managed to pay its 11,000 employees in an almost normal manner.

Also today, the West-Central health district of Montreal announced it, too, had been the victim of a cyberattack and had to temporarily deactivate many of its online systems to preserve the security of the data.