There are usually many lessons learned from any data breach, but almost always the prime lesson from a ransomware attack is be prepared by having a good backup.
That’s the first take-away from last Friday’s successful ransomware attack against the San Francisco Municipal Transport Agency, which temporarily knocked out desktop terminals at Muni stations across the city and forced the agency to stop selling tickets fares for a time on its light rail system. The attacker demanded 100 Bitcoins, or approximately US$73,000, to unlock the damage.
However, the Muni has been able to restore the systems, though it has taken time. “Existing backup systems allowed us to get most affected computers up and running this morning (Monday),” the agency said in a statement on its website, “and our information technology team anticipates having the remaining computers functional in the next two days.”
More detail is available this morning from security reporter Brian Krebs, who, through a source that hacked and read the attacker’s email and got into the attack server and came up with some interesting information. First, the Muni was only one of a number of successful ransomware victims of this attacker, most of whom were manufacturing and construction firms based in the United States. One — apparently unprepared for a ransomware attack — paid 24 Bitcoins (~$17,500) this past Sunday to decrypt some 60 servers infected.
Second, while it isn’t clear exactly how the Muni’s system was compromised an expert who looked at the email and attack server data said targets included unpatched Oracle servers, including those running its Primavera project portfolio management software. It leverages a bug called a deserialization vulnerability in Oracle WebLogic Server and the Apache Commons library it uses. Oracle issued an alert on this a year ago. In fact, says the Krebs column, the Muni attacker helpfully sold one victim a link to that page who wanted advice on how to better secure their system.
It bears repeating again that many organizations fall victim to attacks because they aren’t following basic security, including using multi-factor authentication to secure essential servers, having off-line backup that can’t be contaminated and patching all systems.
The RCMP warns organizations to make regular backups of important files and keeping operating system and software up to day. End users are warned to beware of pop-up messages or a banner with a ransom request.
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
- Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
- Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
- Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.