Ransomware locks up San Francisco Transportation Ticket Machines
“You Hacked, ALL Data Encrypted.”, this was the message displayed on computer screens at Muni stations across San Francisco on Friday afternoon which apparently was due to the virtue of a crypto-ransomware spread across the Muni system’s networks and it took down ticketing for Muni’s train stations and systems which used to manage the city’s buses. As reported by San Francisco Examiner, the hacker responsible for this demanded a sum of $73,000 in exchange for the secret key.
How were the systems attacked?
Muni computer systems were compromised last Friday after an SFMTA (San Francisco Municipal Transportation Agency) employee apparently downloaded a malware variant named “ransomware,” it allows an attacker to lock up a victim’s computers, and demand a ransom to release them for use. The entire message that was left on computer screens read, “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.” Along with the message, fare payment machines at Muni underground stations read, “OUT OF SERVICE” in red LED letters.
What conversation went between MUNI and Attacker?
This Monday, Paul Rose, a spokesperson for the SFMTA, said, “Personal information of Muni customers were not compromised as part of this incident,”. He further said that their team is investigating this matter but did not comment on whether Muni was hacked. Rose said, “there is an ongoing investigation and it wouldn’t be appropriate to provide additional details”. Despite Rose’s guarantee of their customer privacy safeguards, the alleged attacker who is known only by a pseudonym, “Andy Saolis”, issued a new threat to Muni via news agencies and claimed to have compromised customer data.
When an examiner contacted Saolis via email, he said, “We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !”. “Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote. The attacker gave SFMTA’s a deadline to pay the ransom by Friday, though previously the deadline was Monday. Though Rose said, “We’ve never considered paying the ransom,” he added, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”
More about the Ransomware
As reported ArsTechnica,
… ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.
A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows’ “GetLogicalDrives” volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message.
Though it isn’t clear whether they have actually paid the ransom but keeping it a secret, who knows? But everyone should learn a lesson and that is to run a business with Security being the primary concern. At least MUNI systems must have learned from this act.
Read blog article by TrendMicro on HDDCryptor