Site icon IT World Canada

San Francisco transit ransomware attack shows value of being prepared

Suitcase with Cash

Image from Shutterstock.com

There are usually many lessons learned from any data breach, but almost always the prime lesson from a ransomware attack is be prepared by having a good backup.

That’s the first take-away from last Friday’s successful ransomware attack against the San Francisco Municipal Transport Agency, which temporarily knocked out desktop terminals at Muni stations across the city and forced the agency to stop selling tickets fares for a time on its light rail system.  The attacker demanded 100 Bitcoins, or approximately US$73,000, to unlock the damage.

However, the Muni has been able to restore the systems, though it has taken time. “Existing backup systems allowed us to get most affected computers up and running this morning (Monday),” the agency said in a statement on its website, “and our information technology team anticipates having the remaining computers functional in the next two days.”

More detail is available this morning from security reporter Brian Krebs, who, through a source that hacked and read the attacker’s email and got into the attack server and came up with some interesting information. First, the Muni was only one of a number of successful ransomware victims of this attacker, most of whom were manufacturing and construction firms based in the United States. One — apparently unprepared for a ransomware attack — paid 24 Bitcoins (~$17,500) this past Sunday to decrypt some 60 servers infected.

Second, while it isn’t clear exactly how the Muni’s system was compromised an expert who looked at the email and attack server data said targets included unpatched Oracle servers, including those running its Primavera project portfolio management software. It leverages a bug called a deserialization vulnerability in Oracle WebLogic Server and the Apache Commons library it uses. Oracle issued an alert on this a year ago.  In fact, says the Krebs column, the Muni attacker helpfully sold one victim a link to that page who wanted advice on how to better secure their system.

It bears repeating again that many organizations fall victim to attacks because they aren’t following basic security, including using multi-factor authentication to secure essential servers, having off-line backup that can’t be contaminated and patching all systems.

The RCMP warns organizations to make regular backups of important files and keeping operating system and software up to day. End users are warned to beware of pop-up messages or a banner with a ransom request.

The FBI offers this advice:

Exit mobile version