Hackers successfully encrypted over 2,000 servers and PCs that are used to run San Francisco’s Light Rail Transit system. The hackers demanded 100 bitcoin (~ $73,000 USD) for the key to decrypt the data. The attack mainly impacted e-mail and payroll systems, but agency shutdown their ticket vending machine as a precaution and allowed traveler to ride for free on the light rail system for most of the day Friday and all day Saturday. This was one of the biggest travel days of the season.
The attack was conducted using malware called HDDCryptor. It does not appear the the attackers were targeting the agency. They cast a wide net and found success in the vulnerable environment.
Although it may have taken the agency more time to get the systems back up and running and they probably lost more than $73,000 in ticket sales, I think it was the right move to resolve the issue without paying the ransom. They probably learned a lot about weaknesses in their environment and sent a strong message that they will not submit to the demands of these criminals.
link – http://www.forbes.com/sites/thomasbrewster/2016/11/28/san-francisco-muni-hacked-ransomware/#158b80fe54dd
http://www.wsj.com/articles/after-ransomware-san-francisco-offers-free-light-rail-rides-1480366454
Marcus A. Wilson says
I was just reading about this on Gizmodo. Seems like an expensive and risky way to determine where your flaws are in your environment. I thought it was really interesting that it seems like the FBI usually recommends for the companies to just pay the ransom to get their data back. Definitely a good thing that MUNI was able to do it without giving in.
Marcus A. Wilson says
link to the Gizmodo article: http://gizmodo.com/it-looks-like-the-san-fransisco-muni-hack-was-worse-tha-1789443579
Vaibhav Shukla says
As mentioned the ransom malware HDD Cryptor was used I think this will be first very large scale disruption caused by this malware as this malware was more focused on personal PC where they easily trick people to pay bit coin .HDDCryptor, also identified as Mamba rewrites a computer’s MBR (Master Boot Record) boot sectors and locks users out of their PCs .
I feel despite the fact the authorities didnt surrender to the ransomware they have incurred the loss through loss of money by sale of tickets
Ahmed A. Alkaysi says
I agree. I liked that they continued the services without shutting everything down. Sometimes organization hit the panic button and unplug everything, that is not always the best way to respond. The most important thing is to make sure customers are impacted the least.