SF Metro’s Handling of a Ransomware Attack Deserves Some Credit

It didn’t help that San Francisco’s transportation system, known as Muni, was using old, Windows 2000 servers that haven’t been receiving updates in years. Sure, they may have paid Microsoft to give them special updates, but this doesn’t nullify the fact that exploits for Windows 2000 servers are readily available online. In any event, the hacker who compromised their network claims that breaching the Windows’ 2000 servers wasn’t all that difficult. “SFMTA network was Very Open and 2000 Server/PC infected by software!”

 Briefly, the story is this. On Friday night, November 25th, Muni computer screens displayed this message. “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter Key.” 


Ticket machines displayed handwritten “Out of Order” and “Metro Free” messages. Yes, the metro was, in fact, free, as gates were locked in the open position. Muni representative, Paul Rose, said that Muni opened the gates on purpose to prevent any further hacking. Maybe. But ransomware hackers are after money, not disrupting infrastructure. That’s a whole different level of sophistication more often reserved for nation-state hackers.

 Rose says that Muni wasn’t hacked. The hacker claims otherwise. Maybe Rose has a unique definition of what ‘hacked’means. However, the hacker claimed that multiple servers were encrypted and demanded Muni management pay 100 Bitcoins ($73,000) to get the decryption key. Muni managed to paste together a skeletal operation by Sunday, probably by getting enough backed up information to do so, but they admit not being in complete control. It may have been enough, however, to avoid paying the ransom. This apparently angered the hacker who made an additional threat.


I suppose an experienced hacker could harvest information once inside a network and further increase their threats and monetary demands. However, I have found no evidence that ransomware hackers use this tactic. This might be because so many companies hit with ransomware attacks simply pay up. The attackers usually charge a modest amount for the encryption key, probably relying on their being paid without a fight. It seems their business model is based on gaining a profit from numerous, reasonably priced attacks, rather than attacks demanding a huge ransom. In the case of companies, they try to arrange the price based on the number of encrypted servers.

 Security expert, Brian Krebs, noted that this particular hacker seemed to specialize in attacks on construction firms in the US, and they usually paid up. Of the firms listed as having been attacked, I could find no evidence that they even reported the hack. The only reason we know they were attacked at all was because the San Francisco Muni hacker was, himself, hacked and the contents of his email communications exposed. It seemed like most of his victims paid without a fuss. In fact, a Malwarebytes August, 2016 report found that 40% of surveyed companies simply paid the ransom. More worrying is that half of the companies surveyed reported a ransomware attack in 2015 and that the percent of such attacks in 2016 is undergoing a rapid rise. Actually, that’s one of the greatest understatements I’ve ever made. Because, as of the first quarter of 2016, ransomware-related domains increased 35 times that of the previous quarter, according to an Infoblox report. This alone has sent the Infoblox DNS threat index to record heights. The following chart from a Trend Micro report gives a graphic view of this increase. The graph represents the situation in the UK but it is similar to US findings.


The FBI, realizing the gravity of the situation, put out a special public service announcement in September, asking ransomware attack victims to report the crime.


 Ransomware attacks are becoming more sophisticated and are increasingly targeting companies. Attackers are making this shift from individuals to companies because companies will not only pay more, but they are more likely to pay whatever is asked. As noted above, they are also more likely to keep the hack to themselves, probably because announcing such an attack could hurt their company’s reputation. Let’s look at the situation in the UK as an example. Trend Micro found that 69% of UK firms expect a ransomware attack. It may be that the UK is targeted by attackers because 65% of firms that experience such an attack will pay the ransom. In short, the UK is the low-hanging fruit of the ransomware world. That said, the US is really not that far behind.

 Ransomware perpetrators tend to favor certain sectors over others. This may be because these sectors have a history of paying the ransom because they depend more on the data that is encrypted. However, it may also be that they have outdated IT networks that are more easily compromised. Malwarebytes found the following sectors to be most at risk.


One reason for the seemingly high percentage of healthcare hacks is that they are required by law to report them. Notice that the Muni attack is an outlier here. It seems the attacker found a vulnerability in Muni’s network while randomly probing the internet for unsecured networks and he simply decided to try his luck. Unfortunately for him, this may have been a step too far and he was, because of all the publicity he received, back-hacked. The back-hacking, which compromised his email, led researchers to surmise that he may have been operating from Iran. In addition, many of his past exploits have been exposed. But don’t feel too sorry for him. In recent months he has amassed a healthy income of over $140,000. That probably gives him quite a comfortable life in Iran.

 It’s obvious from the information above that most companies and institutions can expect to be the target of a ransomware attack. For this reason, it is important to know both what to do to prevent such an attack and what to do if you are successfully attacked.

 As you’ve heard thousands of times before, back up your data so at least you have files to get your operations running again. Hackers attack businesses at the end of a business day because many businesses backup their systems overnight. In other words, a late day attack will encrypt all files from the last backup. Do not simply backup on the computer you are using or on any other device connected to your network, because this information, too, will be encrypted. The hard drive encryption used in the Muni and other recent attacks has been growing in popularity among ransomware attackers. In some ways it’s quicker and simpler than encrypting individual files and it wipes out everything. This can, however, be thwarted to some degree with hardware separated security architecture, which will not allow the encryption to reach sensitive data on the drive or network. Again, be wary of all email attachments, even if they look innocent and valid on the surface. When in doubt, check it out. Contact the person who sent the attachment or link via a phone call, or in person, if possible. Ransomware attack vectors are increasing and becoming harder and harder to avoid. I wrote about the new Facebook and Linkedin image hack but also be aware of malvertising.

 The FBI gives mixed signals on whether you should pay the ransom or not. Most of the time, you will get the decryption key, but about 20% of the time, you won’t. If the amount demanded isn’t as much as the cost of reinstalling a new system, or if you have no backup, think of the ransom as a lesson in how to use Bitcoins. Remember, however, that paying the ransom only encourages more ransomware attacks. Muni decided not to pay the ransom but their allowing free rides still cost them $50,000. Their not paying the ransom, the subsequent backhacking, and the unwanted attention it gave to the hacker will quite likely dissuade other ransomware operants from attacking such highly visible targets. It also suggests that the FBI is correct in encouraging companies to report such attacks. Muni deserves some thanks for its defiance as it may serve as a role model for other companies and institutions that are victimized. True, they may not have had this end in mind, but that’s how it worked out.

 But the battle is far from over. Operation Avalanche, which, this week, took down one of the biggest (if not the biggest) cybercrime networks in the world, has temporarily put cybercriminals on the back foot, but only temporarily. All companies should be prepared for a ransomware attack in the coming year. Those in the sectors shown above should be especially vigilant. No one can expect a company to take a stand against these attackers based on principle. Business is a practical enterprise. However, a concerted effort in this direction could go a long way towards stopping the increase in these attacks.

One thought on “SF Metro’s Handling of a Ransomware Attack Deserves Some Credit

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s