This past weekend, the San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack that left it unable to process payments for rides. The SFMTA was forced to continue providing service, for free, as they repaired the systems that were damaged in the attack. Even in an incident where the ransomware author was not successful in extorting a payment, the financial impact on the victim can be significant.
The SFMTA claims that the customer payment systems were not among those that had been hacked, and that financial data had not been extracted from the system as part of the attack. Ransomware attacks have largely involved encrypting data “in place”, rather than exfiltrating data to the attacker. This is part of what makes ransomware efficient and successful for attackers: a lowered risk of detection, less command and control infrastructure for the attack, and the ability to restore the data quickly when a victim pays.
In this way, ransomware gives us a perfect illustration of a concept I’ve been educating clients on more heavily recently: “compliance is not equal to security”. In the SFMTA incident, as in many others, the compliance-related data (financial information) may not have been impacted, but operations were impacted significantly. Regulations and requirements for compliance are designed to protect your customers and clients, not your own assets and continuity of business.
Being in a state of compliance says nothing about your ability to continue operations. You may be compliant and unable to process orders and transactions, as SFMTA experienced. You may be compliant and unable to provide service, manufacture, or distribute. You may be compliant and unable to compete in your industry due to the theft of your intellectual property. You may be compliant, yet suffer catastrophic damage to your business.
With limited resources, organizations are tempted to limit the scope of security testing and the application of defense to systems that are identified as containing compliance-related data. This approach is doomed to being dangerously incomplete, as it leans towards ignoring data and processes that are important for the business itself. It often even fails to protect compliance-related data, as this data is often kept on systems not identified in the scope-limiting process. Attackers frequently exploit trust relationships between out-of-scope systems and those holding sensitive data to compromise that data in a way that a limited scope engagement simply will not identify.
Ransomware authors are adapting their tactics. In the case of SFMTA, Brian Krebs’ report indicates that the attacker is scaling the ransom payment based on the attacker’s assessment of the victim’s worth. Many early ransomware attacks had a low, flat “fee”.
Falling victim today will be much more expensive than it was last year. Attackers will begin exfiltrating sensitive data more often in order to more effectively determine worth, and alternative means of monetization. Targets will be chosen more carefully as well. The SFMTA attacker has also targeted many businesses in construction and manufacturing.
Organizations should seek out legitimate, experienced, and professional providers of guidance and service. At least one victim of SFMTA’s attacker paid extra, on top of the ransom, for advice on mitigating the vulnerability. Asking the criminal attacker to help you secure your system is a terrible idea. Seek out someone who deserves your trust. Your entire business is on the line.