How a cryptographer made a free ride on the San Francisco Railway
The other day, passengers of the narrow-gauge railway of San Francisco were able to observe the inscription “You are hacked, ALL data is encrypted” on the screens of all payment terminals of the transport company San Francisco Municipal Transportation Agency ( SFMTA ). Some time later, management confirmed the hacking fact, stating that SFMTA was actively investigating the incident.
“We are currently working on a solution to this problem. An investigation is underway, and we cannot yet provide additional details, ”the spokesman said.SFMTA. As it turned out, the inscription on the screens is displayed by malicious software - a cryptographer. As a result, not only payment terminals were blocked, but also a large part of the company's computer infrastructure. For this reason, it is impossible to pay for the fare, and passengers were allowed to ride for free during the settlement of the situation.
On Sunday, the staff even had to recall the experience of route planning with the help of paper, pen and telephone conversations of station dispatchers. Usually route planning is carried out with the use of computer equipment, with automatic distribution of guiding sheets in electronic form to train drivers. Now the schedule hangs at the stations in the form of paper plans.
Responsibility for cyber attack took someone Andy Saolis. The cybercriminal even answered a couple of questions from journalists. The attacker said that it was he and his group who were behind the cyber attack on the transport company. In addition, he said that the attack was carried out solely for the sake of money, and nothing more. “I hope this will help the company improve the security of its IT infrastructure before we come back,” Saolis wrote.
According to the attacker, the attack was not directed exclusively at the computer network of this company. An infected file was placed on one of the torrent trackers, which was uploaded by one of the station employees. After initializing the file, the malware started and infected the entire network.
"The station was the weak link," said the attacker. He also added that in order to unlock the computer systems of the station, a payment in the amount of 100 bitcoins is required (this is $ 73,000 at the rate). So far, according to the authors of the attack, the company’s representatives have not contacted them. “Perhaps they want to get a hard lesson,” wrote Saolis.
At the same time, the staff of the station was able to resume the operation of some systems. The company employs about 6,000 people, and the data of all is at risk, since all information about employees is stored in the common database of the infected system.
According to the company affected by the actions of the attackers of the company, most of the data managed to protect against infection, so that the critical information for the work is not under attack. But operating computers are blocked by a cryptographer, so workflows have to be done in the old manner.
In any case, the company doesn’t have much time left before the deadline for the payment is completed, and then the data on the affected systems will not be restored.
Despite the prevalence, to deal with this type of software is difficult. The problem is that the encryption key, which encrypts the user's files, goes to the attackers' servers. Without it, getting your data in most cases is not possible. Not always information security specialists manage to find an "antidote" for the next ransomware. As a result, individuals and organizations have to pay the creators of malicious software. It happened, for example, with the American school from South Carolina, USA. The school administration had to pay $ 8,500 to the developers of the encryption virus.
Burglars are divided into those who honestly send the key to the victim key to decrypt the encoded data and those who do not send anything. Moreover, there are cases when the imaginary ransomware does not encrypt anything, but simply deletes files. But at the same time, such software requires money from the victim for data recovery, which can no longer be recovered. Ranscam is a malware that only pretends to be a cryptographer. The software pretends that the files are encrypted, although in fact everything that the user sees on the screen is a command line with a list of files to be deleted. As soon as the files are deleted, the program displays a pop-up window asking you to pay money to get the encryption key.
The cryptocourners are distributed in a variety of ways - from emailing to well-known company sites. For example, the site of a popular toy maker began to infect ransomware visitors in the spring . As it turned out, the site was hacked, and the attackers uploaded their own software to the server, integrating it into the CMS Joomla, on which the resource works. In April, a similar attack was carried out on sites with Microsoft's IIS Web server. Only then were CryptoWall or TeslaCrypt cryptographers used.