The San Francisco public transportation system has recently recovered from a ransomware attack that hit on Friday, 11/25/2016. A strain of PC ransomware infected the computers of the Municipal Transportation Agency and displayed this message on the ticketing systems:
You Hacked, ALL Data Encrypted
The hack left the ticketing systems inoperable, and passengers were able to ride the city’s light rail system (the MUNI) without payment.
The attacker, using the email address Cryptom27@yandex.com, said that the MTA had to pay if they wanted access to the data to recover the machines. The attacker explained that the ransomware did not target the MUNI, but was simply out searching for a victim:
… our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software !
The attackers demanded 100 Bitcoin, or roughly $70,000.
According to this BBC report, there was no impact to the transit service, safety systems, or customer information. However, the attacker later said that he would publish 30Gb of databases and documents, including employee data, contracts, and more, if the SFMTA does not properly address their security vulnerabilities.
Approximately 700,000 people (pdf) use the MUNI system each weekday, representing about 24% of weekday travel (pdf) in the city. The cost to the San Francisco MTA will likely be unknown for at least several weeks.
What makes this particular ransomware incident interesting is that the attack affected public-facing ticketing machines. The majority of ransomware attacks take place behind closed doors, with the public sometimes never finding out about them. The hackers that hit the San Francisco transport systems did so in a very public way.
Businesses should of course do everything they can to avoid becoming vulnerable to these attacks in the first place, especially via email, and use segmentation and proper firewalling to limit the effect of any successful breach. That said, a well-deployed backup process can also play a decisive role in not only limiting the damage of ransomware attacks, but also making sure that companies never need to pay a ransom.
As of today, the San Franscisco MUNI fare system has been restored using disaster recovery methods, and now appears to be free of infection. The incident remains under investigation.