Prasarana Malaysia Breached: RansomHub Stole 316GB From the Company Running KL's Buses and Trains

The Facts

When most Malaysians think about cybersecurity risks, they picture bank fraud or data breaches at telcos. The 2024 attack on Prasarana Malaysia Berhad — the government-linked company that runs KL Sentral-connected LRT lines, MRT, Monorail and RapidKL buses serving millions of daily commuters — expanded that mental model abruptly.

RansomHub, a ransomware-as-a-service operation that emerged in early 2024 and rapidly built a victim portfolio after the law enforcement disruption of BlackCat/ALPHV, claimed responsibility. The group said it exfiltrated 316GB of data from Prasarana's systems. The volume of stolen data implied months of potential dwell time — suggesting attackers had access to Prasarana's internal systems well before the attack became visible.

The breach placed the operational data of Malaysia's largest public transport provider in criminal hands: employee records, infrastructure documentation, financial data, and potentially operational systems data for a network that moves hundreds of thousands of people daily across Greater Kuala Lumpur.

Prasarana's public response was measured — the company acknowledged the incident without providing detailed technical disclosure, a communication approach consistent with ASEAN's general preference for limited breach disclosure that stands in contrast to the more disclosure-intensive regulatory environments in the EU and US.

Technical Deep-Dive

RansomHub's operational model mirrors the double extortion approach pioneered by earlier groups: infiltrate, exfiltrate, encrypt, and threaten both operational recovery and data publication unless ransom is paid. What distinguishes RansomHub is its aggressive affiliate recruitment — the group reportedly offered affiliates an unusually high 90% revenue share, enabling it to scale rapidly by attracting experienced operators from disrupted competing groups.

Public transport infrastructure presents a specific attack surface. Operational systems for ticketing, fare gates, fleet management, and real-time passenger information are increasingly networked — with interfaces connecting operational technology to enterprise IT systems. These integration points, which enable centralised management and passenger app services, also create pathways from internet-exposed enterprise systems into operational infrastructure.

For organisations like Prasarana, the challenge is that many of these operational systems were deployed before modern security controls were standard requirements, and the operational risk of taking them offline for patching and upgrades is high — creating extended windows of exposure.

The ASEAN Perspective

Malaysia's public transport operators are not isolated targets. Singapore's SMRT, Thailand's BTS Skytrain operator, and Indonesia's TransJakarta are comparable organisations in terms of operational profile, public service criticality, and — in many cases — similar technology estate profiles.

The Prasarana breach arriving in the same year as the KLIA Qilin attack creates a pattern: Malaysia's critical infrastructure is being tested systematically. Whether this represents coordinated targeting or opportunistic exploitation of exposed vulnerabilities, the outcome for Malaysia's national cyber posture is the same — critical infrastructure requires dedicated security budgets and OT-specific protection programmes, not just enterprise IT security frameworks applied broadly.

RECATOOLS Verdict

The 316GB data volume claimed by RansomHub represents years of organisational documentation. If authentic, it provides attackers with operational intelligence useful for future targeted attacks, social engineering of employees, and potentially insight into infrastructure vulnerabilities.

The lesson for ASEAN public transport and mobility operators is to treat network architecture — specifically the segmentation between passenger-facing systems, enterprise IT, and operational technology — as a strategic security investment, not a technical detail.

Sources

• Security Quotient Malaysia Cyber Threat Landscape 2025
• CyberSecurity Malaysia Incident Reports 2024-2025
• Kaspersky APAC Threat Intelligence 2024

FAQ

What is Prasarana Malaysia? Prasarana Malaysia Berhad is a government-linked company operating Greater KL's public transport network including RapidKL buses, LRT, MRT, and Monorail.

What is RansomHub? A ransomware-as-a-service group that emerged in early 2024, rapidly becoming one of the most active operators after law enforcement disrupted BlackCat/ALPHV. Known for offering 90% revenue share to affiliates.

How much data was stolen from Prasarana? RansomHub claimed to have exfiltrated 316GB of data. The exact contents were not publicly disclosed by Prasarana.

Did Prasarana pay the ransom? Prasarana did not publicly confirm whether a ransom was demanded or paid.

Why is public transport a ransomware target? Operational criticality creates ransom pressure, networked OT systems often have security gaps, and sensitive data (passenger records, infrastructure documentation) has value to attackers.