The “ransomware” part of this attack is a bit more elaborate than usual, since simple destruction of the encrypted files really isn’t all that much of a threat. When the hack was first announced, it seemed that the best thing to do would be to simply refuse, and begin anew; transit really shouldn’t involve any vitally important data that can’t be recreated, so the solution can be as simple as reloading all software from the bottom on up. Then, on Monday, the attacker released another message, making clear the true nature of the treat: “But if they don’t, we will publish 30G databases and documents include contracts, employees data, LLD Plans, customers.”
Now, under this new threat, the public hack of the ticket system is really just meant to turn up the heat, make sure the public is aware of the situation, and to create pressure to prevent a major leak of information. The ticket system itself is still just bricked — bothersome, but ultimately fixable with a little time. But releasing employee and customer data, that’s a legitimate threat. Employees give up enough data about themselves to make identity theft far easier — just ask the US Office of Personnel Management, which kept most of its employee data unencrypted, and which lost millions of files to (it seems likely) Chinese hackers.
So, is this the beginning of a trend, one that puts our municipal infrastructure under constant risk of attack from forces that can act without fear of meaningful retaliation? In short: probably. Just this week, Carleton University was subjected to a similar attack, shutting down a portion of its network and bringing parts of its operation to a halt, and with the ongoing rise of the Internet of Things, a larger proportion of our lives will be hackable. It’s one thing to ransom-hack a person’s thermostat to permanently stay at the coldest setting — it’s quite another to similarly lock a person’s blood sugar monitor, or pill dispenser, or pacemaker.
Most troubling, though, is the mode of the attack. The malware itself is thought to be based on “HDDCryptor,” a virulent malware that can install itself through a simple visit to a malicious website, and which installs itself in the Master Boot Record. In an email to journalists, the attacker said that the transit authority was not specifically targeted; this relatively “off the shelf” malware solution was simply released and allowed to attack any vulnerable computer that stumbled upon it. “Our software working completely automatically,” said the attacker in broken English, “and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software!”
This is a recurring theme with these sorts of attacks: incredulity on the part of attackers that ransoming data is this easy to do, and this easy to get away with. The FBI has all but given up on the prospect of investigating these claims as they become more common; last year, an FBI agent made a widely quoted gaffe by claiming that the best thing for victims to do is simply pay the ransom. Today, the agency has evolved to recommending some common-sense preventative measures, but it still won’t go so far as to say there’s any real hope of recovery after an attack. They emphasize that paying in no way ensures that you will actually get your money back — though by refusing to unlock the data, hackers would be making successful extortion harder for themselves in the future.
And that’s really where the ransomware issue is headed: cultural conflicts over the most ethical ways to act to mitigate the damage. Hospitals have already suffered major attacks, but as such potentially life-threatening security failures become more common, the question will become more urgent: is it more ethical to pay and mitigate harm in the short term, or to refuse to pay and mitigate harm in the long term? This is a live debate when it comes to literal ransom for kidnapped people — and data-ransom will be a major point of debate, as well.
The problem with proposed criminal bans on ransomware payments, however, is the same as the problem of criminalizing literal ransom payments: it’s hard to enforce, in practice. That’s because the people who break the law are, almost by definition, the ones who are the most desperate and sympathetic. It’s simply very politically difficult to throw a nice Midwestern mom in jail for personally paying a ransom for a kidnapped child, just as it’s going to be next to impossible to prosecute a hospital bureaucrat who shells out to avoid having any patients die unnecessarily when they go home for the night. In general, any law that’s broken only by people who genuinely believe that they’re doing the right thing, and who knowingly accept the consequences as lesser than the consequences of inaction, is going to be difficult to enforce.
The city of San Fransisco certainly knows where it stands on this, however: “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.” Note that there is no mention in this comment on user data, since that’s the actual threat on offer.
Ultimately, though, the goal should be to advance security and best practices far enough that the reactions of individual victims aren’t a meaningful factor, when compared to the difficulty of success and the threat of being caught. Remember that in this case, the hacker pointed out the old, glaring security problem that allowed access to the SFMTA network in the first place — in many ways, debates over the best way to deal with a data ransom demand are defeatist by their very nature.