Ransomware Hits Light-rail System, Resulting in Lost Revenue

Ransomware really gets around, faster than even the best form of mass transportation can move busy commuters to work.


Recently, ransomware caused the San Francisco Municipal Transportation Authority (SFMTA) light-rail system to lose revenue when the organization shut down ticket machines and fare gates as a precaution to the malware attack. According to the SFMTA site, ransomware infected mainly 900 office computers. However, another source claimed that more than 2,000 computers were infected, including office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals and station kiosk PCs.

The ransomware scrambled the data on infected hard drives, posted a message on corresponding computers (“You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601.”), then demanded a 100 Bitcoin ransom (approximately US$75,000) before the cybercriminals would agree to hand over a primary decryption key that would allow the SFMTA to decipher the data ransomed on the infected hard drives.

Ransomware is a threat to businesses that already costs millions of dollars each year, and unfortunately is prevalent and grows more sophisticated. There are literally millions of new malware variants each year. In 2015 there were 431 million variants added, according to the Internet Security Threat Report.

Using a variety of attacks, criminals can inject malware into your network, which then holds your data or other systems hostage until you pay a ransom. Ransomware gains access to a computer system through a network’s weakest link, which is typically a user’s email or social networking site. Once a user clicks on a malicious link or opens an infected attachment, the malware spreads quickly throughout the system.

When a file or other data is held for ransom, the affected organization must meet the financial demands of the cybercriminal in exchange for a decryption key to “unlock” the ransomed data. If you don’t pay the ransom, you forfeit access to your computer and the data that’s on it. You also forfeit access for others to shared documents and data, compounding the impact exponentially. You might think that’s the worst case. Not so.

Unfortunately, victims who pay the ransom might still not get their files back. The harsh reality is that the attacker might not supply the decryption key that unlocks the victim’s files. In fact, a recent survey found that of those victims of ransomware who paid the ransom, only 71 percent had their files restored.

Is there anything you can do to prevent a ransomware attack on your organization? Yes! Cloud backup from Mozy by Dell ensures that your important endpoint files and server data cannot be compromised by ransomware. Mozy prevents any execution of code within the files that have been backed up. But simple backup is not enough to ensure that your files are protected from ransomware.

When a malware infection is involved, restoration of an endpoint or server from a backup works best when you can easily select a moment in time from where to restore. Mozy keeps up to one year of file versions, meaning if you have identified the point of infection and the time the malware was introduced to the machine, Mozy can restore all of the files for the given user from the point in time just before the malware was introduced.

SaaS office productivity platforms are also vulnerable to malware attacks. Spanning Backup, also from Dell, fully protects data that is stored and generated in Google Apps and Office 365 and enables you to rapidly recover data from a previous point in time, before the files were encrypted by ransomware.

Although the ransomware attack on the SFMTA is now contained—and no ransom was paid—this cyberattack is one more reminder that ransomware is a very real threat.

Update: The SFMTA hacker got hacked back, according to a recent news source. Poetic justice indeed.

About the Author: Brian Heckert