Ransomware shuts down San Fran transit, but the hacker just got hacked
By Graham Templeton

This week, the San Fransisco
transit system experienced the latest in a growing trend of “ransomware”
attacks against important pieces of infrastructure. The hack proceeded
basically the way we’ve come to expect of these cyber-extortion schemes,
encrypting everything it can gets its hands on and displaying the
following message at all ticket kiosks: “You Hacked, ALL Data Encrypted.
Contact For Key (cryptom27@yandex.com) ID:681 ,Enter.” Though city
authorities are being tight-lipped about the “ongoing investigation,”
there’s no doubt that the hack is still in effect; with the ticketing
system still offline, San Fran transit users are currently riding for
free. There is some good news, though: as reported by Forbes, it seems that the hacker has had his or her own email address infiltrated in retaliation.
The “ransomware” part of this attack is a bit
more elaborate than usual, since simple destruction of the encrypted
files really isn’t all that much of a threat. When the hack was first
announced, it seemed that the best thing to do would be to simply
refuse, and begin anew; transit really shouldn’t involve any vitally
important data that can’t be recreated, so the solution can be as simple
as reloading all software from the bottom on up. Then, on Monday, the
attacker released another message, making clear the true nature of the
treat: “But if they don’t, we will publish 30G databases and documents
include contracts, employees data, LLD Plans, customers.”
Now, under this new threat, the public hack of
the ticket system is really just meant to turn up the heat, make sure
the public is aware of the situation, and to create pressure to prevent a
major leak of information. The ticket system itself is still just
bricked — bothersome, but ultimately fixable with a little time. But
releasing employee and customer data, that’s a legitimate threat.
Employees give up enough data about themselves to make identity theft
far easier — just ask the US Office of Personnel Management, which kept
most of its employee data unencrypted, and which lost millions of files to (it seems likely) Chinese hackers.

Most troubling, though, is the mode of the attack. The malware itself is thought to be based on “HDDCryptor,” a virulent malware that can install itself through a simple visit
to a malicious website, and which installs itself in the Master Boot
Record. In an email to journalists, the attacker said that the transit
authority was not specifically targeted; this relatively “off the shelf”
malware solution was simply released and allowed to attack any
vulnerable computer that stumbled upon it. “Our software working
completely automatically,” said the attacker
in broken English, “and we don’t have targeted attack to anywhere!
SFMTA network was Very Open and 2000 Server/PC infected by software!”

Medical device hacks are probably the most feared overall, except attacks against national infrastructure.
This is a recurring theme with these sorts of
attacks: incredulity on the part of attackers that ransoming data is
this easy to do, and this easy to get away with. The FBI has all but
given up on the prospect of investigating these claims as they become
more common; last year, an FBI agent made a widely quoted gaffe by
claiming that the best thing for victims to do is simply pay the ransom.
Today, the agency has evolved to recommending some common-sense
preventative measures, but it still won’t go so far as to say there’s
any real hope of recovery after an attack. They emphasize that paying in
no way ensures that you will actually get your money back — though by
refusing to unlock the data, hackers would be making successful
extortion harder for themselves in the future.
And that’s really where the ransomware issue
is headed: cultural conflicts over the most ethical ways to act to
mitigate the damage. Hospitals have already suffered major attacks, but
as such potentially life-threatening security failures become more
common, the question will become more urgent: is it more ethical to pay
and mitigate harm in the short term, or to refuse to pay and mitigate
harm in the long term? This is a live debate when it comes to literal ransom for kidnapped people — and data-ransom will be a major point of debate, as well.
The problem with proposed criminal bans on
ransomware payments, however, is the same as the problem of
criminalizing literal ransom payments: it’s hard to enforce, in
practice. That’s because the people who break the law are, almost by
definition, the ones who are the most desperate and sympathetic. It’s
simply very politically difficult to throw a nice Midwestern mom in jail
for personally paying a ransom for a kidnapped child, just as it’s
going to be next to impossible to prosecute a hospital bureaucrat who
shells out to avoid having any patients die unnecessarily when they go
home for the night. In general, any law that’s broken only by people who
genuinely believe that they’re doing the right thing, and who knowingly
accept the consequences as lesser than the consequences of inaction, is
going to be difficult to enforce.
The city of San Fransisco certainly knows
where it stands on this, however: “The SFMTA has never considered paying
the ransom. We have an information technology team in place that can
restore our systems, and that is what they are doing.” Note that there
is no mention in this comment on user data, since that’s the actual
threat on offer.
Ultimately, though, the goal should be to
advance security and best practices far enough that the reactions of
individual victims aren’t a meaningful factor, when compared to the
difficulty of success and the threat of being caught. Remember that in
this case, the hacker pointed out the old, glaring security problem that
allowed access to the SFMTA network in the first place — in many ways,
debates over the best way to deal with a data ransom demand are
defeatist by their very nature.
Ransomware shuts down San Fran transit, but the hacker just got hacked
Reviewed by Bizpodia
on
14:50
Rating:
No comments: