Ransomware Winter is Coming



While most of America was emerging from a tryptophan-induced coma on Friday morning, the security team at San Francisco’s Municipal Transportation Agency was waking up to find that ransomware had infected hundreds of the organization’s computers.

The attack eventually spread to nearly 1,000 machines and forced officials to turn off the ticket machines and computer-controlled fare gates at all of the Muni stations, giving riders a “nice” holiday freebie.

The incident was one of thousands of ransomware attacks in the last few days, but because of the high profile of the victim and the cascading effect it had, the compromise of SFMTA has drawn a lot of attention, as it should. There are a number of unique factors involved in this incident, which is likely just a sign of things to come as attackers continue to look for new and more profitable targets for their ransomware. But the attack also shows just how vulnerable critical systems are to this technique and how unprepared most organizations are for ransomware.

The attack on SFMTA appears to have been accomplished through the use of an old, known vulnerability in a web server. Once the attacker exploited the bug, he was able to install the ransomware on the network. SFMTA officials said that the attacker did not come in through the organization’s firewall and at no point was he able to steal any data.

“On Friday, Nov. 25 we became aware of a potential security issue with our computer systems, including email. The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked,” the SFMTA said in a statement.

The attacker apparently demanded about $70,000 in ransom to deliver the decryption key, but SFMTA officials said they never considered paying. If that’s true, that would put them in a vanishingly small minority of victims. Many people and businesses that are hit by ransomware have no other option but to pay. Even with good backups--which SFMTA said it has--ransomware can cause serious, long-lasting damage, both to a victim’s systems and to its reputation. SFMTA officials now are working to restore their systems, but putting the shine back on an image is much more difficult.

“We have an information technology team in place that can restore our systems, and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two,” SFMTA said.

As embarrassing and costly as this attack was, it could have been far worse. The compromise didn’t involve any Muni trains, control systems, or other critical systems, but the next one could. Ransomware gangs in the last year have moved from targeting individual consumers to going after enterprises, both large and small. Hospitals, government agencies, police departments, and manufacturers all have been hit with various strains of ransomware and in many cases, they have ended up paying the ransom. When these attacks affect critical operations such as those in a medical facility, the quickest path to restoring normal service usually is to pay up and get on with it.

Attackers know this as well as, or perhaps even better than, the organizations they’re targeting. Even after years of examples, many enterprises still aren’t prepared for a serious ransomware attack. Having backups is vital, but it’s no panacea. SFMTA had backups, but it still had to disable its fare gates and ticket machines for three days, costing it an untold amount of money. But what happens if the next attack hits an airline? Shutting off the ticket machines isn’t an option.

Ransomware began as a nuisance, but it has evolved into something much more dangerous and sinister. Enterprises should look at the SFMTA hack not with relief that it wasn’t them, but with the knowledge that it’s time to have a clear, workable plan on how to respond when they’re eventually hit.

Image property of HBO. Retrieved via The Inquisitr.
Dennis Fisher

WHITEPAPERS

The Incident Responder's Field Guide

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.