Ransomware gang says it hacked the Maryland Transit Administration

Ransomware gang Rhysida today took credit for a late-August data breach at the Maryland Transit Administration.

Maryland’s Department of Transportation on August 24, 2025 announced a cybersecurity incident disrupted bookings at the Maryland Transit Administration’s paratransit service. It later confirmed unauthorized access to MTA systems and subsequent data loss. At time of writing, real-time bus tracking is still out of service for some buses.

Rhysida claimed responsibility for the attack and demanded a ransom of 30 bitcoin–worth about $3.4 million at time of writing–be paid in the next seven days. To prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include a scans of a Social Security card, driver’s license, passport, and several other documents.

Rhysida lists the Maryland Department of Transportation on its data leak site.
Rhysida lists the Maryland Department of Transportation on its data leak site.

MDOT has not verified Rhysida’s claim. We do not know what data was compromised, how many people are affected, if MDOT did or will pay a ransom, or how attackers breached the MTA’s systems.

An MTA spokesperson gave the following statement in response to Comparitech’s questions: ”

“The Maryland Transit Administration can confirm incident-related data loss at this point in our investigation,” an MTA spokesperson told Comparitech in a statement. “At this time we are unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation. If it is found that personal information has been taken, the affected individuals will be notified by the State in accordance with State law and we will take appropriate actions and provide guidance on recommended actions.”

Who is Rhysida?

Rhysida is a ransomware group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.

Rhysida has taken credit for 91 confirmed attacks since it began listing targets on its data leak site, compromising 5.5 million records. Its average ransom demand is $1.1 million.

Rhysida’s demand of nearly $3.4 million in bitcoin from the MTA is the group’s second largest, following a $5.8 million demand from an attack on the Seattle-Tacoma International Airport. Rhysida also demanded $3.4 million in ransom from Ann & Robert H Lurie Children’s Hospital of Chicago in January 2024. Neither of those ransoms were paid.

In 2025 to date, Rhysida has claimed eight confirmed ransomware attacks and made another 45 unconfirmed attack claims. In another of the group’s attacks on government agencies, Rhysida demanded $2.6 million following its attack on the Oregon Department of Environmental Quality.

Ransomware attacks on US government

Comparitech researchers have logged 59 confirmed ransomware attacks against US government entities in 2025 to date, compromising more than 386,000 records. The average ransom demand is $1.6 million.

In August alone, we recorded 12 such attacks. They include a data breach at Spartanburg County, SC for which ransomware group Qilin took credit.

In addition to data theft, ransomware attacks on US government entities can disrupt computer access to essential services, payments, communications, and stored files. Officials must then either pay a ransom or face extended downtime, data loss, and putting constituents at increased risk of fraud.

About the Maryland Transit Administration

The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxies, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.