Backups meant SFMTA didn't have to pay 100-Bitcoin ransom demanded by the attacker
The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency’s network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network’s systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn’t specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan.
Krebs reported that the e-mails he reviewed showed many paid the attacker, including one organization that sought recommendations from the ransomware operator on how to prevent future attacks. In response, the ransomware operator sent a link to a November 2015 advisory from Oracle regarding a vulnerability in the Apache Commons library of server-side Java components.
That vulnerability, which uses maliciously crafted data objects to exploit how the affected libraries “deserialize” them to unpack them for processing, is the same class of vulnerability used to attack MedStar, the Maryland health system that had multiple hospitals lose access to critical systems in April as the result of a ransomware attack. In that case, the attacker (who deployed Samsam crypto-ransomware across MedStar’s network) also apparently used an open source vulnerability scanning tool (JexBoss) to find and compromise a server running the open source JBoss platform.