Long the scourge of personal computers and small businesses, ransomware — like the virus that struck San Francisco Muni’s computer systems over the weekend — is becoming increasingly common among large corporations and public agencies are no exception, digital security analysts said.
Muni responded by giving free light-rail rides from Friday until 9 a.m. Sunday. The computer viruses, which lock users out of their own data until they agree to pay a ransom, can hit a company’s bottom line but aren’t likely a threat to public safety, experts said. That’s because most transit agencies keep critical systems that control trains offline and separate those systems from the networks employees use to access email or perform regular work, said Robert Capps, the vice president of business development for NuData Security, a digital security firm.
Muni riders in San Francisco were not at risk, and the hackers did not access data or breach payment systems during the attack that affected around 900 computer workstations on Friday, said Paul Rose, a spokesman for the SFMTA. As a precautionary measure, Cubic Transportation Systems, the company that operates Clipper cards, shut down the payment kiosks to prevent the malware from spreading, said Randy Rentschler, a spokesman for the Metropolitan Transportation Commission, which contracts with Cubic.
Similar to malware that can infect certain computer files, the ransomware must be “invited in” by someone on the network — presumably an unwitting employee who clicks a link in an email or on a website. Rose said that was the case on Friday.
It spread through the system’s Windows operating system, Rentschler said, though the SFMTA network team blocked it from spreading outside of Muni.
The agency was able to restore 75 percent of its infected workstations by Sunday night and on Monday were still working to restore the rest, Rose said. The attackers demanded a ransom of 100 bitcoins, or roughly $73,000, which the SFMTA never considered paying, he said.
Reached via the email posted to computer screens across the agency’s workstations on Friday, the hacker or hackers going by the name “andy saolis,” told the East Bay Times on Monday they hacked into Muni’s system to expose weaknesses in its security system.
Saolis threatened to publish 30 gigabytes of data, including contracts, employee data, customer information and more “to Have More Impact” and “Force Them to do Right Job!”
Spokeswomen for both the Santa Clara Valley Transportation Authority and Caltrain said the attack served as a reminder to remain vigilant to potential security breaches. BART declined to comment.
Both Capps and Bruce Schneier, chief technology officer for Resilient Systems, an IBM-owned security company, said the risk to public safety from an attack like the one MUNI experienced was low.
“It’s irrelevant,” Schneier said.
But that doesn’t mean attacks won’t get more sophisticated in the future, said Ragib Hasan, an assistant professor of computer and information sciences at the University of Alabama-Birmingham and the director of SecretLab, a research facility. In the game of digital cat and mouse, the stakes will get higher, he said.
“I’m worried that in the coming days, the attacks will get more severe,” Hasan said. “If they control the train, they can do a lot more damage.”
While attacks are perhaps not preventable, agencies can take steps to make recoveries as painless as possible, Capps said.
“No one is really immune to cyberattacks today,” Capps said. “And it will continue. As we make the systems more secure from the foundation up, we will continue to see these sorts of attacks.”
Source: Contra Costa Times