carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Nov 29, 2016

Hacked MUNI refuses $73,000 ransom demand, recovers files from backup

Color illustration of laptop screen showing a security warning.

The San Francisco Municipal Transportation Agency (SFMTA) refused to pay a cybercriminal's $73,000 ransom demand following a ransomware attack that scrambled digital files, crippled a ticketing system, and forced officials to let Municipal Rail (MUNI) passengers ride for free during Black Friday weekend.

Instead of paying the ransom, SFMTA officials opted to rely on advice from federal officials and use a backup and recovery system to recover digital files and restore the network, according to a report on the San Francisco Chronicle's SFGATE website. The attack on San Francisco's transit system is the just the latest proof that a high-quality backup and disaster recovery system is the best way to protect computers in homes, businesses and public agencies from the damaging effects of ransomware.

"Considering paying that ransom was never an option,” SFMTA spokesman Paul Rose told SFGATE. "We were ready."

A Black Friday surprise
The ransomware attack, which was discovered on Black Friday as hordes of shoppers scoured the city for the best holiday bargains, locked up fare station terminals and caused them to display an ominous message: “You are Hacked. ALL Data Encrypted."

The message also demanded a ransom payment of 100 bitcoins—about $73,000—and gave an email address where the malicious hacker could be contacted. That email address——has been connected to several attacks involving HDD Cryptor, a form of crypto-style ransomware also known as Mamba. HDD Cryptor is known for its ability to block access to infected computers.

In an email to Ars Technica, Rose explained that the ransomware mainly affected computer workstations and blocked access to various systems.

"The SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls," Rose wrote. "Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers."

SFMTA officials never contacted the hacker, Rose said. Instead, the agency moved forward with plans to delete infected files, remove the ransomware virus and recover clean versions of corrupted files from backup. By Monday, MUNI's systems were up and running and passengers were back to paying the normal fare to ride the trains.

Backup: The best weapon against ransomware
While the MUNI incident happened to have a happy ending—it's important to know that many ransomware attacks do not. Ransomware can cripple an organization, cause costly damage to IT systems, and in some cases, it can put people in real physical danger. And the ransomware epidemic is getting worse all the time. Cybercriminals around the globe are attempting millions of ransomware attacks on individuals, businesses, hospitals and public agencies each day, according to a report from IT security firm Symantec.

Security experts say the best way to protect your data from ransomware involves a combination of user education, IT security tools like firewall and antivirus protection, and the most important piece of all: backup and recovery software. By investing in a solid backup and recovery system like Carbonite, users ensure that—like the fast-thinking folks at MUNI—they'll never have to give in to the demands of cybercriminals.


Mark Brunelli

Senior Writer

Mark Brunelli is a Senior Writer on the Corporate Marketing team at Carbonite. He blogs about Carbonite happenings and IT industry trends.

Related content