Introduction

This past week it was revealed that BC Transit was the victim of a ransomware attack. People on their way to work showed up at transit and found they couldn’t pay by credit or debit card, transit was only accepting cash. This was a big problem, since during the pandemic we are told not to use cash, and most people didn’t have what was required on them. There were further disruptions caused by the failure of Transit’s other backend computer systems. Service is mostly restored today and they are taking credit and debit cards again, but their computer systems are not fully restored and Transit’s IT workers are madly working behind the scenes trying to restore their various systems.

A ransomware attack is where hackers infiltrate a computer system and then encrypt all the data, so the victim can’t access it. They then threaten to delete or make public all this data if the victim doesn’t pay a ransom. In this article we’ll look at how this happened, some details of how these attacks go and what can be done about them.

Ransomware – Close up of Your Files Are Encrypted on the Screen

BC Transit Was Warned This Would Happen

BC Transit wasn’t the first transit authority to be attacked and there was a big article in Mass Transit News here, which detailed an attack on Fort Worth’s Transit system and warned all other Transit authorities to be extra vigilant. Besides hackers targeting transit authorities in the past few months, ransomware has been an ongoing problem in many enterprises, the big ones making the news have  been hospitals having to shut down during the pandemic.

 BC Transit’s IT  people should have reiterated to staff about precautions to take as well as hardened their security systems.

How Do These Attacks Happen?

Theoretically, Transit should have secure IT systems and their staff should be trained in general best practice security awareness. How did hackers break into Transits systems to encrypt and steal all their data? BC Transit says they are conducting an internal investigation, and not giving any details, but we can see from past cases how this usually works. The hackers figure out the work emails of as many BC Transit employees as they can and then send them phishing emails. These emails either contain an attached Microsoft Office document or spreadsheet or a link to one that will download from the web. This MS document then contains malicious macros that will take over control of the employee’s computer. Most basic security systems won’t allow receiving an EXE file, but MS Office macros are sufficiently powerful to do the job. Another approach is to look for weak passwords used by employees and exploit that most companies have to allow remote access in these days of COVID-19 and allow remote login for users working at home.A third approach is to phone employees pretending to be the IT department and to trick them into either revealing their password or changing their password to something simple.

Once the hackers have access to this one computer, they take it over and use it as a staging ground to attack the corporate network. A typical employee shouldn’t have much access to the network, but the hackers will search for things that are misconfigured or running something with known security vulnerabilities. The original ransomware attacks were automated and just infected the one computer, these new attacks are directed by real hackers who personally login to these systems and do everything they can to compromise the systems.

At BC Transit, the hackers got full access to the corporate network, encrypted and downloaded all BC Transit’s corporate data and had every printer at BC Transit continuously print out their ransom demands.

Recovering from these attacks is difficult because the real hackers are still in the system and actively working against the IT staff. As the IT staff fix something, the hackers undo it. Basically the IT staff have to disconnect all their systems from the outside world while they clean and restore the systems. Even then it can be hard to find and remove all the hidden hooks, backdoors and programs that the hackers have hidden around their network.

BC Transit has stated that they will not pay the ransom, which is good as paying the ransom will encourage the hackers to keep doing what they are doing. It is rumoured that the ransom is several million dollars. BC Transit claims their system doesn’t contain any customer payment data as these are processed by a secure third party payment processor. However this could be dangerous for employees where these systems may contain all their payroll and other personal information which could be used for identity theft and other malicious purposes. Usually if you do pay the ransom, the hackers will give you the decryption key so you can access your data again; however, there have been many cases where the data later appeared for sale on the darknet, so expect your data to be public regardless.

How Can You Protect Yourself?

Here are a number of things corporations can do to protect themselves against these sort of attacks:

1. Don’t use Microsoft Office or Internet Explorer. Use an alternative such as Google Chrome and Google Docs and Sheets. So many of these attacks are caused by malware embedded in Microsoft Office files that a good case could be made to replace these.
2. If you do use Microsoft Office, use group policy to disable macros and any other active content across your whole organization.
3. Do not let employees connect to your network from a home computer, only from a work computer where group policy has severely restricted what the user is allowed to do. Further the computer will always use VPN for all internet access. Tightly restrict the computer to only allow what they need to do their job.
4. Train and reinforce over and over not to reveal their password over the phone or to change their password when instructed over the phone. Plus implement some sort of two factor authentication technology to reduce the risk, even if the passwords are known.
5. Isolate your servers. Do not have all your servers interconnected and allow everything to access everything else. For instance, put the ERP system on a completely separate domain and don’t let the domains trust each other. Having multiple networks is a pain, but it will limit the damage when part is compromised.
6. Follow all best practice security measures and ensure all updates are installed right away and forced on all your uses. Keep regular backups of everything, and make sure you practice restoring them. There have been many cases of companies who failed to restore from backup because they never tested this.
7. Pay attention to what is happening to other companies. BC Transit should have been prepared for this.

Summary

Security is hard. Hackers are smart and resourceful. However, the IT staff at an enterprise as large as BC Transit should be capable of preventing this sort of attack and should be capable of restoring quickly from an attack if it happens. Hopefully, BC Transit and other BC crown corporations learn from this experience and prevent a worse attack happening in the future, especially to something like our hospital systems.