When you think of cyber attacks, the last place you think of may be the ticket booth at the subway station.
Despite this, our infrastructure is still incredibly vulnerable, according to experts. And the threat is real — spanning from hospitals and police stations to corporate America.
"We haven't seen a system that has proven to be immune or bulletproof at this point," Alex Rice, chief technology officer and co-founder of HackerOne, a bug bounty platform, told NBC News.
The Rise of Ransomware
The threat is so pervasive that the FBI even issued a warning in April, saying "Ransomware attacks are not only proliferating, they're becoming more sophisticated."
The San Francisco Municipal Transportation Agency was the latest high-profile victim, when its computer systems were targeted by ransomware on Friday. Ransomware is a type of malware that holds computer files hostage, essentially rendering them useless until a payment is made to the attackers.
Computer terminals in some Muni stations carried a message saying, "You Hacked."
As a result, commuters were treated to an early holiday gift with free rides for part of the weekend after transit officials decided to turn off ticketing booths and open up the turnstiles as a precaution. San Francisco MTA spokeswoman Kristen Holland said that while the hack didn't impact customer data, the MTA took the extra measures until they knew for sure that customer data hadn't been breached.
It caused a headache in the office, though, impacting 900 computers and the payroll system, according to Holland's updates.
Despite reports the hacker or hackers demanded a ransom of 100 Bitcoin ($73,000), Holland said SFMTA never even considered paying it; and the FBI advises against paying ransoms for fear it could embolden hackers and fund illicit activities.
Most computers were "up and running" Monday morning, Holland said, adding that "our information technology team anticipates having the remaining computers functional in the next day or two."
Who Is Behind the Attack?
How a hacker or group got into the SFMTA system or who is behind the attack remains unclear. A person or group claiming to be behind the attack has communicated with several media organizations, sending messages in broken English.
The alleged culprit also apparently received a taste of his or her own medicine when they were hacked, according to KrebsOnSecurity. Emails in the hacked inbox reportedly left a trail to other alleged victims.
In the case of SFMTA, the ransomware mostly encrypted data from office computers, as well as access to various systems, Holland said. "However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected."
Interrupting a major transit system for a weekend is no small feat, but San Francisco MTA has come out relatively unscathed compared to other organizations that have been targeted.
Hackers launching ransomware attacks tend to go after "low-hanging fruit, which is why you usually see smaller organizations impacted by this," Rice said.
Allan Liska, analyst at threat intelligence firm Recorded Future and author of "Ransomware: Defending Against Digital Extortion," told NBC News having a good backup is key for cities, organizations, and individuals faced with a ransomware attack.
"Unfortunately, finding that out [once] you have a ransomware attack is the wrong time," he said. "If you're keeping a good backup, you wipe the system, reinstall the operating system, and then restore the backup."
Some of our aging infrastructure exists on isolated, old-school technology platforms. While they're still hackable, Liska said they're largely immune to the threat of ransomware.
But as more of that infrastructure moves onto 4G networks, it makes them more visible to hackers looking to take advantage.
How Ransomware Can Hold an Organization Hostage
Since 2013, hackers have hit police departments in at least seven states, holding their files hostage and destroying them if a ransom isn't paid. Some departments have paid and received decryption keys, allowing them to get their files back. Others have paid the price by losing valuable data.
"The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization's reputation," the FBI said in its April warning.
The Institute For Critical Infrastructure Technology echoed that, warning 2016 would be "the year ransomware holds America hostage."
"Ransomware is less about technological sophistication and more about exploitation of the human element," the report said. "Simply, it is a digital spin on a centuries-old criminal tactic."
While it's mostly a nuisance, in the case of police departments, it could potentially destroy valuable case information, jeopardizing investigations, and even potentially allowing alleged criminals to walk free.
A person may download the ransomware by visiting a malicious website or opening a seemingly innocent email attachment. At that point, their system is compromised and they'll receive a note letting them know they need to pay a sum of money, usually bitcoins, to regain control.
Cyber criminals can exploit unpatched or not so current systems, such as an older version of Windows or plug-ins such as Adobe and Silverlight, Liska said.
"For most people, where you get infection is through your plug-ins, and those are annoying because it seems you have to patch those every week and people seem to dismiss it and put it off," Liska said.
He added that some organizations still operate on older versions of Windows, perhaps because it's the only version supported by their vendor or out of pure disregard for spending time and money on security.
Stay One Step Ahead
What's even more alarming is that you may not even have to open an attachment to fall victim to ransomware.
FBI Cyber Division Assistant Director James Trainor warned how hackers are staying one step ahead of everyone else "by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers."
Rice said he operates under the assumption that bulletproof security just doesn't exist. Instead, he advocates "preventative medicine is the best medicine" for everyone from organizations to individuals.
That means making sure you have a reliable back-up, which will allow you to restore your system and not suffer anything more than a headache and some lost time.
"You have to be thinking about your systems," Rice said. "One of the best things you [or an organization] can do is actively try to hack yourself."