UPDATE: While the ticket kiosks are back online, the hacker is saying that if the Muni doesn’t fix security problems and pay the ransom by Friday that they are going to release the data that they have taken.
Passengers entering the San Francisco Muni rail system were greeted by the message “You Hacked” on Friday when they attempted to purchase a ticket.
Later, handwritten signs on the ticket machines said FREE MUNI.
While the rail operator has been very quiet on what is going on, the hacker is not. Some of the messages from the hacker include:
“You Hacked, ALL Data Encrypted.” The bad English could easily be an attempt to disguise where the attackers came from,
The attackers are supposedly asking for 100 Bitcoin or roughly $75,000.
The agency is “using very old system’s !” the person behind the email address said. “We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …!”
“We Gain Access Completely Random and Our Virus Working Automatically !” he continued. “We Don’t Have Targeted Attack to them ! It’s wonderful !”
“We Don’t live in USA,” he said. “Sorry For My English anyway ;)”
The attackers claim to have taken 30 gigabytes of data, which may seem like a lot, but in today’s world, it is pretty small.
While shoppers on Black Friday had a free ride, by Cyber Monday, the ticket machines, at least, were working again.
While Muni officials are saying that they were investigating and it would be inappropriate (or embarrassing) to comment, others are talking. Hoodline, a Bay Area news blog said that other data including payroll, email, Quickbooks, Nextbus operations, MySQL databases and other data had been taken.
If that is true, this could be a big deal. While people like some federal agencies (HHS) and me have said that you need to ASSUME that if hackers encrypt your data, they could easily have a copy of the data, we now have more evidence of this actually happening.
If the comments from the hackers are true, they have control of over 2,000 computers at the agency, roughly a quarter of all of the agency’s computers. They will need to assume that the other three quarters of their computers may be infected even though they are not showing symptoms. YET!
Assuming that they even have backups for 2,000+ computers, which is HIGHLY unlikely, rebuilding and restoring 2,000 computers could take weeks – or more – depending on the resources available.
Apparently, the attack is a “Spray and Pray” style attack, meaning the SFMTA was not targeted. Typically these attacks work by sending out millions of emails and whoever opens them or clicks on a link in the infected emails becomes the next victim.
If the hackers do have the data, then the SFMTA has a significant breach to deal with.
For businesses and now government agencies, this is something I have been saying would happen for months – not only do they have to worry about rebuilding their machines, potentially losing data if they don’t have backups and maybe paying a ransom, but now they have to add to that list, having their data compromised and possibly being publicly released.
In this case, the hackers merely encrypted the computers that run the ticketing and other business systems. What if they compromised the systems that actually run the trains – similar to the attack in Ukraine last year that blacked out the country for 24 hours? Depending on what they did, the Muni could be down for weeks. Or more. In the case of the Ukraine attack, the hackers DAMAGED the automation equipment, making it difficult or even impossible to repair, making replacing a lot of very expensive hardware the only option. That equipment is not the kind of stuff that you can buy at Home Depot or Best Buy.
Being prepared for these types of attacks takes time and money and requires people to stop doing risky things. For many businesses, dealing with this is just not a priority. I predict it is now a priority for the SFMTA. This will likely cost them 10 to 100 times what it would have cost them to be prepared. The good news is that if they fall under the umbrella of governmental immunity, it will be very hard to sue them and there is not an alternative railroad for customers to use instead.