San Francisco’s Muni hack: A case study in prepping for ransomware attacks

By Daniel Niepow, Associate Editor

San Francisco Muni Metro subway passengers got an unexpected treat one weekend in late November 2016: free rides.

But it wasn't exactly an act of charity on the part of the San Francisco Municipal Transportation Agency (SFMTA), which oversees the city's Muni light-rail system. Instead, the agency on Nov. 25 took its Muni subway ticketing machines and faregates offline after a hacker attacked its office computers.

The attacker demanded 100 bitcoins — which at the time was estimated at $73,000 — to relinquish his hold on the system.

Although the hack didn't compromise the SFMTA's fare system, the agency decided to shut it down as a precautionary measure to protect passengers.

This kind of hack, which is known as a "ransomware" attack, is becoming increasingly common in the cybersphere, information security execs say. In a ransomware attack, a hacker infiltrates a system, locks users out and demands a sum of money — usually in the form of "cryptocurrency" like bitcoins — to restore the victim's access.

While ransomware attacks typically are "industry agnostic," — attackers target any companies or organizations that are likely to pay — freight and passenger railroads are lucrative potential targets, says Limor Kessem, executive security adviser at IBM Security.

"There's more at stake for everyone when such organizations are paralyzed," Kessem says. "With hampered or paralyzed operations, attackers are in a better position to pressure organizations to negotiate with them quickly and for more money, unless the victim has proper recovery plans in place."

In the case of the SFMTA attack, the agency restored its systems by using backed-up data. By Nov. 28, the SFMTA was able to get most of the affected computers back up and running.

"Thanks to the fact that we systematically back up our systems, the impact was minimal," said SFMTA spokesman Paul Rose in an email. "We don't want to provide a roadmap for any future attacks by detailing specific next steps, but we are reaching out to staff to further remind them of the impacts of clicking on links and opening emails from unfamiliar sources."

SFMTA execs never considered paying the ransom, agency officials said in an update after the attack.

Still, the agency may have lost up to $50,000 in unpaid fares during the attack, according to Rose.

Companies can mount a better defense against ransomware attacks by frequently backing up their data on a cloud system or at a separate data center, says Scott Montgomery, vice president and chief technical strategist at Intel Security.

"Most organizations — critical infrastructure or not — fail to back up frequently enough to avoid some form of data loss," he adds.

Hackers also will look for holes in out-of-date database systems. So, organizations should ensure their software is updated with the latest patches, Montgomery advises.

The Muni hack came amid an uptick in ransomware attacks in 2016. Last year, there was a 6000 percent year-over-year surge in ransomware spam, IBM's X-Force research team found.

"There is an ease of use in ransomware that's rare in other types of malware," says IBM's Kessem. "Once the victim is infected, the criminal does nothing but wait for the coins to come."

What's more, because hackers demand cryptocurrency like bitcoins, they can ensure they get their money anonymously and lower their risk of getting caught.

And many companies that are victim to ransomware attacks are paying up, according to IBM. In an IBM survey of 600 U.S. business executives, 46 percent said they had some experience with ransomware attacks; of that total, 70 percent paid a ransom to their attackers.

"With the increase in paying victims, more attackers moved into the ransomware arena, including organized cybercrime gangs using highly sophisticated malware codes to target users and businesses," Kessem adds.

Plus, many victim organizations may decide to simply pay the ransom and "keep mum" about it, says Intel's Montgomery.

"I wouldn't be shocked if other organizations are being successfully attacked but not necessarily letting folks know," Montgomery says. "Because a lot of these organizations pay the ransom and change their systems after the fact, there's no breach reporting that they perceive they have to do."

Adequate preparation can go a long way toward helping railroads and transit agencies avoid these kinds of attacks — and rapidly recover if they do happen, says IBM's Kessem.

"I think the No. 1 factor that could increase preparedness for any organization, even more than employee education, is having an incident response plan in place — one that is regularly tested and gives teams some muscle memory to help them react quickly and effectively," she says.