Having backups is always important, but in some cases even having perfect backups won’t mediate all the consequences of a ransomware attack.
Over the holiday weekend there was another high-profile ransomware attack hitting the San Francisco Municipal Transportation Agency or SFMTA. This is the first time a major transportation agency has been shut down by a ransomware attack, and it’s eye-opening to say the least. As a quick recap, the SFMTA estimates it affected about 900 of their computers and began on November 25th. They have backups and are using them to restore data with no intention of paying the ransom; so all is well right? Wrong.
The great part about having backups is that the SFMTA didn’t lose all of their data or customer data which could have been catastrophic. They most likely would have paid the ransom in that case, or faced extreme financial losses. However, it’s not all sunshine and rainbows because you have a backup solution. SFMTA discovered the attack on November 25th and has restored most computers online by the morning of the 28th, with the rest to follow in 2 to 3 days. This means that a large chunk of their workforce was down for several days or almost a week on the extreme end.
Being unable to work is going to cost any business money, but the SFMTA also had to shut down payment systems and terminals meaning the public was able to ride the metro for free. According to several articles this was costing them close to $500K per day they were down. The payment systems were turned off on Friday the 25th until Sunday at 9am. This down time equates to over a million dollars lost due to this ransomware infection. Backups can save data, but they’re often not fast enough to get you back online without some downtime.
This instance further demonstrates the importance of prevention. By putting your emphasis on prevention instead of detection and recovery, you’re working to eliminate this problem before it happens. We believe that prevention is the only way to protect your business, and that’s why PC Matic uses our global application whitelisting. Only allowing known good applications allows you to avoid targeted or organized attacks because of our default deny stance. All unknowns are always blocked no matter how new they are. We don’t know what antivirus protection the SFMTA was using, but even with it and backups to save their data they still suffered losses over a million dollars due to down time.