Criminals Demanded $8K from Sacramento Regional Transit after Attack

Criminals demanded a ransom of approximately $8,000 after they attacked the Sacramento Regional Transit's (SacRT) computer system. The attack occurred on 18 November, reports The Sacramento Bee, when unknown attackers defaced the public transportation agency's main website with the following message:

I’m sorry to modify the home page, i’m good hacker, i I just want to help you fix these vulnerability. This is one of the loopholes, modify the home page....

Technicians accessed the agency's system shortly thereafter to evaluate the extent of the attack's damage. It was around that same time that the criminals gained access to SacRT's virtual servers and erased some of their data. Fortunately, this action did not pass unnoticed by the entity's security systems. Chief Operating Officer Mark Lonergan said the Sacramento Regional Transit sprang into action:

We caught it early (Sunday) morning. We took all our systems offline. We are restoring everything now and bringing it up online.

It also reached out to its Twitter followers notifying them of possible issues they might experience along their commute. https://twitter.com/RideSacRT/status/932295992682037248 Bus - Sacramento Regional Transit District, Sacramento, CA. (Source: TripAdvisor) In the meantime, the attackers messaged SacRT with a single demand: pay one Bitcoin (worth over $8,000 at the time), or the attacks will continue. The Sacramento Regional Transit did not respond to that request and instead focused on restoring from its backups. The attack overall erased about 30 percent of the agency's files, reports KCRA. However, it did not result in the theft of employee or customer information, and it did not affect bus and light rail services. If anything, it might have limited customers' ability to pay with credit cards and to access their online accounts. A Facebook statement released by the authority on 20 November echoes this impact:

Please be advised, SacRT has been the victim of a cyber ransom attack. Fortunately, the damage to our network was limited, and no personal data was compromised. This was only an attack on our business operations in an effort to extort money. SacRT’s IT team is working to restore the network, but the website will remain off-line until the entire system has been scrubbed for malware. As our IT team verifies applications and services are "safe" they will be brought back online. Connect Cards will continue to function on the system, but there will be no access to online accounts. The Customer Service Sales Center will be open for business, however credit card transactions are unavailable at this time. Light rail and bus operations have not been impacted, but passengers will be unable to retrieve schedule information until the website is brought back online. We thank you in advance for your patience as we work through this challenge.

Since posting that statement, SacRT has reactivated its website, and it's brought both its Connect Card and financial application systems back online. The agency is now cooperating with the Department of Homeland Security on an investigation into this incident. SacRT isn't the first transit agency to experience a ransom-based attack. In November 2016, the San Francisco transport system suffered a ransomware attack that prevented it from charging commuters for riding its rail and bus lines. Given attackers' increasing focus on the transportation industry and other critical national infrastructure, it's important that organizations back up their data against destructive ransom-based attacks. They should also harden their networks by implementing foundational security controls. To learn how Tripwire's solutions can help your organization implement those security measures, click here.