San Francisco transit details ransomware attack, says no data accessed

Dive Brief:

On Friday, the San Francisco Municipal Transportation Agency found malware on its computer systems, including email, which encrypted office computers as well as access to various systems, the agency announced Monday. SFMTA said it is working with the Department of Homeland Security and the FBI to recover from the ransomware attack.
SFMTA said its network was not externally breached and transit operations and safety remained unaffected. Because the attack affected about 900 office computers, as a precaution the agency turned off ticket machines and fare gates to avoid any "risk or inconvenience" to transit customers.
Though the agency says no data was compromised, the person claiming responsibility for the attack promised to release 30GB of data if the agency does not pay the $73,000 ransom, or about 100 bitcoins, according to a CSO report. SFMTA said it has "never considered paying the ransom."

Dive Insight:

What the agency says happened and reports about the details of the ransomware attack are conflicting. Details are still coming to light, as this is thought to be one of the first examples of a transit system suffering a ransomware attack which resulted in free rides for customers. Before this, hospitals were largely the focus of such attacks.

The goal of ransomware attacks, more than just service disruptions, are a payout to return system functionality to the victim organization. To do that, hackers often leverage data breaches or permanently encrypted systems as bait to ensure they receive payment.

Most hackers have an agenda, and it is likely more information will come out about the root cause of the attack and what systems were impacted. But since mass transit serves as a utility and any disruptions could be considered a threat to public safety, authorities will work to quickly mitigate the attack and ensure other organizations are not impacted by a similar tactic.