The threats posed by cyber-attacks to the nation’s critical infrastructure have been discussed ad nauseam for years and with good reason. The prospect of an attack that could cripple substantial portions of the power grid or disrupt communication networks is terrifying. But while these types of doomsday scenarios perpetrated by nation-state actors have yet to come to fruition, groups of cyber extortionists have demonstrated that they too can cause significant societal disruption.
Last month, the computer networks of the San Francisco Municipal Transportation Agency, known simply as Muni, were disrupted by a ransomware attack. Although Muni, which refused to pay the $73,000 ransom, was able to remain operational during the ordeal, the attack still cost the transit agency an estimated $50,000 in lost fares, according to at least one report. Muni was fortunate, however, as the majority of government agencies and private sector organizations infected by ransomware in recent years have not had the same luxury of blowing off the hackers.
“The SFMTA was fairly well-prepared for this kind of an incident. In fact, they may not have prepared for this specific type of incident but their ability to maintain service and restore their systems put them in a better position than many victims of ransomware have been in the past,” says Tim Erlin, senior director of IT security and risk strategy for Tripwire.
Thomas Pore, director of IT and services for Plixer International believes the hackers in this case were caught off guard by the response of the transit agency.
“While the initial hack was intended to be extremely disruptive to the general public, the hackers may not have anticipated the initial response by the SFMTA,” Pore says. “The disruption to travelers was eliminated when the SFMTA allowed passengers to ride for free. If the trains were unable to operate, the public demand for transportation would likely increase the chances of the ransom being paid.”
Erlin says the fact that Muni didn’t have to pay the ransom is a testament to their level of disaster preparedness and the backups they had in place. “In general, having a good disaster recovery plan has put them in a position where they weren’t forced to pay the ransom to get access to their data again,” he adds.
However, Pore says the attack should put transit systems across the county on notice about what could potentially happen to them if they are not prepared to deal with a similar situation.
“The outcome could have been far worse and now there is proof that public transportation is at risk and could be under control of malicious actors. Creating a long lasting disruption will likely generate a successful extortion attempt,” Pore explains. “It’s another indicator that the malicious actors are innovating and strategizing.”
While the incident does demonstrate the dangers posed to critical infrastructure by ransomware and other types of cyber-attacks, Erlin does not believe that Muni was singled out as a target in this incident but was rather caught up in a wider net cast by the cyber criminals.
“The ransomware trend has been ongoing for a long period of time. In the information security community, we’ve seen this as a problem for organizations of all types,” he says. “In this case, the transit system was not specifically targeted.”
Erlin says hackers who engage in ransomware attacks are opportunistic and not necessarily focused on infiltrating a particular type of user which makes every organization and industry a potential target.
“We’ve seen where ransomware attacks sort of move through industries. As those industries have improved their basic security practices, then they become less attractive targets because, ultimately, the objective of these attackers is to make money,” he says.
To mitigate the threat of ransomware attacks, Erlin recommends that organizations always have current, available backups of their critical systems so they can be restored in case they are compromised. Secondly, he says there needs to be a greater focus on the basics of good information security.
“The ransomware itself may seem technically sophisticated, but in the vast majority of cases the initial discovery of a victim is done through a broad internet scan and it’s through the use of well-known, well-published vulnerabilities or misconfigurations. Making sure that you are assessing your own assets for vulnerabilities, patching them and making sure you are deploying and maintaining secure configurations will help prevent ransomware from being a problem for you in the first place,” Erlin explains.
