kc scout play ransomware

Ransomware group Play today claimed a cyber attack that took down Kansas City’s traffic management system, KC Scout. The April 25 attack forced KC Scout to shut down its website, traffic cameras, and message boards.

In addition to disrupting service, Play claims it stole an undisclosed amount of data from KC Scout containing “private and personal confidential data, clients documents, payroll, accounting, contracts, taxes, IDs, finance information and etc. [sic]”

KC Scout has not confirmed Play’s claims.

Melissa Black, communications manager for the Kansas City District of the Missouri Department of Transportation, replied to Comparitech’s request for comment with the following statement in an email:

“KC Scout, a bi-state initiative between the Missouri and Kansas Departments of Transportation to provide travel and traffic information and service for the Kansas City metro area, suffered a cyberattack on April 25. Services continue to be offline which includes dynamic message boards, the website and cameras connected to KC Scout. Staff have and continue to evaluate impacts. Immediate and critical traffic information impacting the KC metro area is being shared through modot.org in Missouri and KanDrive.gov in Kansas.

 

The Missouri and Kansas Departments of Transportation understand this is frustrating to partners and the traveling public. Work on service restoration is underway. It is too early to provide an estimate, but it is expected to be months before restoration can be anticipated. The DOTs and KC Scout ask for continued patience from partners and the public as efforts to restore services continue.”

 

We don’t yet know how many people’s data is affected, how attackers breached KC Scout, how much the ransom is, or whether officials intend to pay the ransom.

This is the second ransomware attack to hit Kansas City transportation authorities this year. In January 2024, the Kansas City Area Transportation Authority (KCATA), which administers the city’s public buses, announced it was the victim of a ransomware attack that took down its call centers.

Who is Play?

First observed in June 2022, Play Ransomware has a history of targeting large organizations in healthcare, finance, manufacturing, real estate, education, and more. It’s known for double-extortion attempts that force victims to pay twice: once to decrypt systems, and again in exchange for not selling or publicly releasing stolen data.

Play prefers to break into systems by exploiting vulnerabilities, especially in remote desktop software (RDP). The ransomware uses intermittent encryption, which partially encrypts chunks of data instead of entire systems to avoid detection.

According to our data, Play claimed responsibility for seven attacks so far in 2024. Recent victims include juice maker Welch’s, Douglas County Libraries in Colorado, and the New York Legislative Bill Drafting Commission.

It claimed 48 attacks in 2023, affecting more than 210 million records.

Ransomware attacks on US government orgs

In 2023, 74 US government organizations confirmed ransomware attacks, affecting 309,810 records, according to our data. The average ransom for confirmed attacks was $830,000 in 2023, and the average downtime was 14 days.

So far in 2024, we’ve logged 24 confirmed attacks affecting 50,237 records, plus 12 unconfirmed attacks.

About KC Scout

Created in 2000, Kansas City Scout is an initiative between Missouri and Kansas designed to reduce traffic congestion and accidents. It places electronic signs on major highways that display live traffic information, such as lane closures and accidents. The system includes traffic cameras that automatically detect traffic issues. KC Scout has largely been successful in its mission and plans to extend coverage to more highways.

In today’s statement, MoDOT communications manager Melissa Black provided the following information:

The Kansas and Missouri DOTs remind motorists that emergency services are still available in Kansas and Missouri. Kansas Highway Patrol Motorist Assist Vehicle (MAV) continue to proactively run routes and respond to incidents in their jurisdiction. MoDOT Emergency Response Continue to proactively run routes and respond to incidents in their jurisdiction. 

 

While real-time data is not available via KC Scout services, the Missouri and Kansas traveler information sites, apps, and phone numbers are providing limited information on the KC metro area via phone and website/app:

  • Missouri: Call 888.275.6636 or visit www.modot.org
  • Kansas: Call 511 or visit KanDrive.gov

 

MoDOT and KDOT remind travelers to drive safely based on current road conditions and traffic flow.