A ransomware attack targeting the Maryland Transit Administration (MTA) has caused major disruptions to the state’s Mobility paratransit service, straining transportation access for residents with disabilities and highlighting the vulnerabilities of critical infrastructure. The incident, which began in August 2025, locked MTA out of essential systems used to schedule and manage rides, particularly for its paratransit-dependent riders—a group already reliant on specialized scheduling and vehicle capabilities.
Attack Targets Most Vulnerable Riders by Crippling Paratransit Scheduling Systems
The ransomware attackers gained unauthorized access to MTA systems that coordinated real-time operations and trip scheduling within the Mobility paratransit service. These services are essential for riders with physical disabilities who require on-demand, accessible transit to attend school, medical appointments, and daily activities. Pre-scheduled rides were fulfilled, but the agency was unable to accept new ride requests or rebook existing ones for several weeks.
System outages also impacted customer service operations, including real-time transit data and call center capabilities. While Maryland’s core mass transit systems—including buses, MARC trains, Metro Subway, and Light Rail—remained functional, riders dependent on paratransit services faced significant uncertainty and logistical hurdles. The MTA urged paratransit users to arrive early at pickup points and consider alternative services like Call-A-Ride, which lacked specialized accommodations and scheduling flexibility.
According to the Maryland Coordination and Analysis Center (MCAC), the MTA quickly brought in third-party cybersecurity experts and notified law enforcement. The Maryland Department of Information Technology and the Department of Emergency Management activated the Statewide Emergency Operations Center to spearhead the response.
Data Loss Confirmed, with Rhysida Ransomware Group Taking Credit
In September, approximately one month after the incident began, the MTA restored its Mobility scheduling services, albeit with limited functionality. Riders were required to schedule trips by calling in, as online systems remained offline at that time.
The MTA confirmed that some data loss had occurred as a result of the attack, though details about the type or volume of data were not disclosed. Subsequently, reports emerged attributing the breach to the Rhysida ransomware gang, a group believed to be Russia-linked and active since early 2023. The gang reportedly posted samples of stolen data as proof and demanded a ransom payment of 30 bitcoin—valued around $3.3 million—to prevent further leaks and unlock encrypted files.
The Maryland Department of Transportation (MDOT), which oversees MTA operations, acknowledged the breach but refrained from offering details about ransom negotiations. Cybersecurity analysts noted that Rhysida has a growing track record of targeting government entities and healthcare services, with over 220 victims globally.
Emergency Services Activated to Sustain Minimum Accessibility Support
In the wake of the outage, the MTA implemented short-term service adjustments to blunt the impact on disabled residents. Riders requiring urgent medical transportation were advised to contact organizations like Hart to Heart, while others were redirected to less tailored services such as Call-A-Ride.
As disruptions dragged on, the absence of real-time updates and customer support escalated rider frustration. Students returning to school and individuals with medical appointments were among the most heavily affected.
The agency’s emergency response focused not only on service continuity but also on cybersecurity hygiene improvements. In an official statement, the MTA encouraged all users and state employees to:
- Watch for phishing and social engineering attempts
- Enable multi-factor authentication (MFA) wherever possible
- Use complex, unique passwords across systems
- Regularly update software and security patches on all devices
These steps aim to limit lateral movement during future intrusions, harden endpoints, and reduce opportunities for credential misuse.
A Pattern of State-Wide Vulnerability in Public Service Infrastructure
This latest MTA breach is not an isolated case. Maryland has witnessed a growing number of ransomware attacks targeting public services. Earlier in 2025, the Anne Arundel County Department of Health experienced a ransomware incident compromising names, addresses, and healthcare data. Similar attacks have hit Maryland’s Department of Health, exposing a clear pattern of threat actors zeroing in on essential services critical to daily life and public well-being.
The Rhysida group’s targeting of paratransit services—infrastructure that serves a vulnerable population—reflects a broader and alarming trend in ransomware strategy. Rather than focusing solely on high-revenue corporations, adversaries are pursuing operational chokepoints in government and healthcare where downtime inflicts maximum social disruption.
Takeaways for Critical Infrastructure Defenders
The Maryland paratransit ransomware attack underscores a number of lessons for cybersecurity teams across public sector transportation services:
- Critical accessibility systems must be considered high-priority assets. Paratransit scheduling and real-time service coordination platforms are not ancillary—they are core services for a significant part of the public.
- Rapid containment and third-party expertise are essential. MTA’s use of outside experts and early engagement of law enforcement likely mitigated additional spread and loss.
- Cyber resiliency should include service continuity planning for the most dependent populations. Temporary fallback procedures such as manual ride scheduling and alternate service referrals must be tested well in advance of a real incident.
- Threat actors view essential government functions as high-leverage targets. Whether motivated by financial gains or disruptive intent, ransomware groups are willing to affect services that impact health, education, and mobility.
As agencies continue to modernize and digitize their service platforms, the attack on Maryland’s Mobility paratransit service serves as a pointed reminder: cybersecurity protections and incident response plans must scale equally with operational complexity.
