Data breach at RailWorks Corporation was caused by ransomware attack

RailWorks Corporation ransomware infection potentially compromised personal details of its employees

RailWorks Corporation hit by ransomware, declares data breach

RailWorks Corporation hit by ransomware, declares data breach

One of the largest US railroad transport provider RailWorks Corporation has suffered a ransomware attack, which also resulted in a data breach of former and current of its employees. As the company reported to the State of California Department of Justice,[1] the intrusion occurred on January 27, 2020, when unknown threat actors implanted ransomware on the servers, encrypting all files in the process.

According to RailWorks Corporation, a variety of personal information of more than 3,000 employees was affected by the breach:

As you know, RailWorks was the victim of a sophisticated cyberattack in which an unauthorized third party encrypted its servers and systems, which may have involved access to your name, address, driver’s license number and/or government issued ID, Social Security number, date of birth and date of hire/termination and/or retirement.

RailWorks Corporation is a privately-owned railroad and transportation provider which operates in the US and Canada. Currently, the company employs over 3,500 employees, so the cybersecurity incident affected the majority.

Aid provided for the victims – free credit monitoring service

It is yet unclear what ransomware hit RailWorks Corporation on January 27, as well as which attack vector was used. Typically, corporations are breached via weekly protected RDP (Remote Desktop) services or via targeted phishing email attachments/hyperlinks.

Nevertheless, the company started informing the affected employees between January 30 and February 7, just a few days after the initial attack. In the notification, the company claims that there are no indications of the stolen information being misused by the attackers in the wild:

While we have no indication that any of your personal information has been misused, we are taking precautionary measures to help you protect your financial security and help to alleviate any concerns you may have.

It is evident that, in the case of data compromise, the affected could face serious consequences, such as targeted phishing attacks and other types of fraud. To assist and protect the affected individuals, RailWorks announced that it would be providing all 3,000+ victims with a free credit monitoring service from Identity Guard for twelve months.

This will help the affected employees to identify when and if their most sensitive details (such as Social Security number) are exposed on the Dark Web, as well as provide regular credit card protection services.

UNION employees can contact Customer Service at 1-855-443-7748 or fill in the form online at Non-UNION employees can call 1-855-443-7748 or visit the

Corporations infected with ransomware are now exposed to additional risks besides the costs of recovery

WannaCry was deployed in May 2017 and caused massive disturbances and financial losses for dozens of organizations, as well as governmental institutions.[2] Since then, ransomware has been on the rise, and the security community saw more new ransomware strains emerging, targeting large firms like Labcorb, Travelex,[3] Tribune Publishing, and many others.

The ramifications of a ransomware attack on any company are devastating – the disruption of the workflow, expensive recovery costs, customer service issues, and much more. Unfortunately for the attacks, not all corporations comply and pay ransoms, so malicious actors are constantly looking for new ways of extorting money.

Just recently, various cybercriminal gangs behind such strains like Maze,[4] DoppelPaymer,[5] and Nemty started to employ a new tactic to ridicule and teach the lesson their future victims: publish the sensitive information stolen during a ransomware attack on a specially crafted website publicly.

While it is yet unknown whether the personal information of RailWorks employees will be put on of such sites, it is good that the victims are at least provided some protection via the free credit monitoring service. Nevertheless, this new and rather scary tactic employed by malicious actors behind ransomware is yet another challenge that businesses and organizations must face in the future; then again – each ransomware attack on the company should be treated as a data breach.