Insider Negligence Allows Ransomware Attacks
On Friday, November 25, 2016, the San Francisco Municipal Transit Agency (SFMTA) was the victim of a ransomware attack. Ransomware is malicious software that infiltrates computer systems or networks and uses tools like encryption to hold data “hostage” until the victim pays a ransom, which is frequently payment in Bitcoin. According to the San Francisco Examiner, the hackers reportedly demanded 100 Bitcoin (worth about $73,000) to release control of the SFMTA’s computer network. On Friday and Saturday, computers in SFMTA’s Muni station agents’ booths displayed the message: “You Hacked, ALL Data Encrypted. Contact For Key (firstname.lastname@example.org) ID:681 ,Enter.”
The Examiner contacted the email address displayed on hacked Muni screens and was told by the alleged hacker, self-identified as Andy Saolis (a name that has been linked to other ransomware attacks), that the attack was made possible because “someone at SFMTA downloaded a torrented computer file.”
Torrent files can be used to share large files across peer-to-peer networking. Cyberattackers use ad networks on torrent search websites to infect visitors’ devices with malware (a practice called “malvertising”).
An SFMTA news release stated that the attack primarily impacted approximately 900 office computers, that the SFMTA network “was not breached from the outside,“ and that customer payment systems were not hacked.
The SFMTA turned off the ticket machines and fare gates in the Muni Metro subway stations on Friday and Saturday, leading to free rides for passengers.
The SFMTA said that it “never considered paying the ransom” and that it had “an information technology team in place that can restore our systems, and that is what they are doing.”
FTC Examines Ransomware
In a November 2016 blog post called “Ramsomware—A closer look,” the Federal Trade Commission (FTC) called ransomware “one of the most serious online threats facing businesses.”
The FTC noted that businesses holding consumers’ sensitive information must be concerned about the threat of ransomware, which can disrupt operations or entirely shut down a business. In addition, said the FTC, “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”
We wrote earlier this year about the FTC’s treatment of failure to protect data as an unfair practice under the FTC Act and about the US Department of Health and Human Services’ discussion of HIPAA disclosure requirements when ransomware results in a data breach.
The FTC guidance states that in a workshop it conducted on ransomware, one panelist stated that 91% of all ransomware arrives through email phishing campaigns, which typically require the user to take some kind of action such as clicking on a link or downloading a malicious attachment. Other panelists discussed the increase in “malvertising” and how it can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.
The FTC says that organizations can protect themselves against the threat of ransomware by:
- Implementing training and education
- Practicing good cyber hygiene
- Backing up data early and often
- Planning and preparing for an attack
Organizations that have good data security habits can lessen the risk that a cyberattacker will gain access to company data. Employers should recognize that insider negligence is the leading cause of data loss or theft. In addition, as the SFMTA case shows, a company that has backed up its data won’t have to pay a ransom to get itself back on track.
Hacker Gets Hacked
In an interesting twist, the KrebsOnSecurity blog heard from a researcher who was able to compromise the email inbox of the SFMTA ransomware hacker by guessing the answer to his secret question and then resetting the attacker’s email password.
Brian Krebs said that the story proved, once again, that “truthfully answering secret questions is a surefire way to get your online account hacked.” When he’s required to supply such answers in order to use a service, Krebs said that:
I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing.
This is advice that LawRoom’s Checkpoint Data Security course also recommends.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.