[BreachExchange] Passengers ride free on SF Muni subway after ransomware hits 2, 100 systems, demands $73k

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 28 18:44:00 EST 2016


http://www.theregister.co.uk/2016/11/27/san_francisco_muni_ransomware/

Hard-drive-scrambling ransomware menaced more than 2,000 systems at San
Francisco's public transit agency on Friday and demanded 100 bitcoins to
unlock data, The Register has learned.

Ticket machines were shut down and passengers were allowed to ride the Muni
light-rail system for free on Saturday – a busy post-Thanksgiving shopping
day for the city – while IT workers scrambled to clean up the mess.

A variant of the HDDCryptor malware infected 2,112 computers within the San
Francisco Municipal Transportation Agency, the ransomware's masters claimed
in email correspondence seen by El Reg.

These systems appear to include office admin desktops, CAD workstations,
email and print servers, employee laptops, payroll systems, SQL databases,
lost and found property terminals, and station kiosk PCs. We told that the
worm-like malware automatically attacked the agency's network, and was able
to reach the organization's domain controller and compromise
network-attached Windows systems. There are roughly 8,500 PCs, Macs and
other boxes on the agency's network.

After the vulnerable computers were infected and their storage scrambled,
they were rebooted by the malware and, rather than start their operating
system, they instead displayed the message: "You Hacked, ALL Data
Encrypted, Contact For Key (cryptom27 at yandex.com) ID:601."

HDDCryptor and its cousins encrypt local hard drives and network-shared
files using randomly generated keys and then overwrite the hard disks'
MBRs, where possible, to prevent systems from booting up properly. A
machine is typically infected by an employee accidentally opening a
booby-trapped executable in an email or download, and then the infection
spreads out across the network.

When the 100-bitcoin ransom – right now about $73k – is paid, the crooks
supposedly hand over a master decryption key to restore the ciphered drives
and files. A bitcoin wallet into which the transit agency is expected to
pay remains empty.

The extortionists behind the malware have complained that no one at the
agency has so far spoken to them let alone offered to pay. The crooks said
they will give Muni officials another day or so to get in touch before
walking away. They also offered to decrypt one machine for one bitcoin to
prove restoration is possible.

"Our software [is] working completely automatically and we don't [launch]
targeted attacks ... SFMTA's network was very open and 2,000 server/PCs
[were] infected by software," the ransomware's masterminds claimed in a
statement in broken English on Sunday via email. "So we are waiting for
contact [from] any responsible person in SFMTA but I think they don't want
a deal. So we close this email [account] tomorrow."

Buses and the underground-overground Muni rail system continue to run. The
Muni's turnstiles were left open from Friday night, though, allowing people
to travel for free. Ticketing systems were halted with "out of service"
messages in the wake of the infection.

"We can confirm a cyber attack," the transit agency's spokesman Paul Rose
told The Register.

"We opened the fare gates on Friday and Saturday as a precaution to
minimize any possible impacts to customers. There has been no impact to
transit service, to our safety systems or to our customer's personal
information. The incident remains under investigation, so it wouldn't be
appropriate to provide any additional details at this point."

San Francisco's public transit system joins the ranks of hospitals,
businesses, police stations and other organizations hit by ransomware. Some
cough up cash to the extortionists who spread the file-encrypting software
nasties, some don't.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161128/2d84536a/attachment.html>


More information about the BreachExchange mailing list