“You Hacked.” Unexpected lessons from a ransomware attack on public services

You know it is a bad day when your computer screen blips up with this ransomware message:

“You Hacked, ALL Data Encrypted. Contact For Key (cryptom27@yandex.com)ID:681, Enter.”

But if the day is Black Friday, and your computer is part of a major US city’s municipal transit system, I think we can all agree that this constitutes a very, very, bad day indeed.

This was the ransomware message presented on hundreds of SFMTA (San Francisco’s transit agency) computer screens on Black Friday – 25 November.

The agents at city’s light-rail transit system, which handles 220 million passengers a year, became aware of a security issue on Friday when email and access to various systems were affected.

According to SFMTA, around 900 computers were infected (though the Guardian and The Register say there were 2,112 infected computers)

So what happened? Information is still sketchy, but it seems that by using a variant of the HDDCryptor malware, attackers infected and then encrypted a reported 30Gb of data, preventing normal operation and demanded a 100 bitcoin (an eye-watering $73,000 USD) ransom to decipher the data.

Despite media reports on the contrary, SFMTA says while data was encrypted, no data was stolen during this attack.

In order to minimize customer impact, the agency opened the ticket gates, giving commuters free transit until the issue was resolved. It is not clear whether SFMTA had any real choice in this matter – would they’ve preferred to face the wrath of laden black-friday shoppers and tired commuters?

SFMTA did not pay the ransom, and reports say it took until Sunday to resolve the issue.  Normal operation has now been reinstated, after what we believe to be a massive network clean-up and back-up restoration party.

This story highlights two ransomware beliefs that we want dispel:

MYTH 1: Most ransomware attacks are targeted.

You would be forgiven for assuming that most ransomware attacks are targeted to specific organizations, but if fact many are crawling the internet just looking for system vulnerabilities to exploit. The motivation is money of course, and the best targets are those unsuspecting organizations that, once hit, pay up to decrypt their files and make the problem go away.

In the case of the SFMTA, they were not targeted according to the hacker involved:

we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!

MYTH 2: It’s easiest to pay the ransomware hackers.

On the face of it, it can seem like a logical and quick solution to the ransomware problem. If you get hit, simply pay up.

But there are a few issues here. Not only have you labeled yourself (or your organization) as an easy mark, potentially encouraging further attacks, you are also funding the hackers’ activities.

Plus, paying up is no guarantee that you get back all your information. The attackers may even ask for additional payments before decrypting the information. Kansas Heart Hospital in Wichita got themselves into exactly this situation earlier this year.

Instead, we strongly advise that you maintain (and regularly check) up to date backups so you cannot be held up for ransom. Ensure sensitive information is well encrypted, so if snoopers do manage to locate the files, they cannot be accessed by unauthorised individuals.

Preventative measures are key

Any IT system housing sensitive and business-critical systems should be reviewed at least yearly by a reputed IT security advisor with expertise in penetration testing, vulnerability scanning and data breach protection.

Preventative checks are shown to drastically minimize an organisation’s exposure to digital threats. They also provide you with that much needed visibility into your networks and systems, allowing you to better protect their integrity, accessibility and confidentiality.

Specialist cybersecurity firms, especially those that use the same tools and techniques as today’s attackers, can highlight critical and vulnerable areas on your systems, allowing you to efficiently and effectively lock them down.

In other words, implementing their recommendations will make you a much less attractive target.

No wonder regular IT security assessments are now expected in many of today’s cybersecurity regulations, such as New York’s newly proposed cybersecurity requirements for financial institutions published a few months ago.

Learn more about TBG Security IT Security services.


About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy development, security strategies for compliance, business continuitynetwork security, managed servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.

Previous ArticleCybersecurity in Trumpville: the facts so far (and a few predictions…) Next ArticleWant to be a cybersecurity hero this holiday? Here’s how.