A quarter of the SFMTA’s network was infected over the holiday weekend.
Riders of San Francisco’s metro system (SFMTA) were treated to free rides this weekend. But what appeared to be a pleasant holiday surprise, was actually the result of a nasty ransomware infection affecting the train’s ticketing computers, which left no option but to allow free rides while the computer systems were down.
Ransomware has been making headlines for the last few years. It is a type of malware that encrypts files on the infected computer, blocking access to them unless the user pays a ransom in bitcoin (or other untraceable methods). Ransomware has been so effective because it employs social engineering – the term given to attacks which rely on manipulating people – often spreading through phishing emails and documents claiming to be official invoices or bills.
The full extent of the damage to the SFMTA is unclear, but reporting from SF Examiner indicates that the ransomware is throughout its systems. Photographs of station agent computers show they were infected, and on Sunday, drivers were being assigned routes “via handwritten notes posted to bulletin boards, as opposed to the usual computer printouts.” Sources told KPIX 5 that computers handling payroll may also be affected, which could delay employees’ paychecks.
Affected computers displayed the message:
“You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 , Enter Key: Missing operating system.”
The San Francisco ransomware, believed to be a strain of HDDCryptor, encrypts the MBR (Master Boot Record) of the computer, a system-critical function, without which, a computer is unable to start properly.
“We do this for money, nothing else ! i hope it’s help [sic] to company to make secure IT before we coming !”
The exact method of infection is not known, but it looks like it was one of the usual vectors of ransomware, which is usually delivered via phishing sites or emails. A list of infected computers obtained by CSO Online suggests that a staff member’s computer may have been the original entry point.
We do know that the SFMTA was not specifically targeted. Saolis wrote:
“Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software!”
To remove the ransomware and restore functionality, Saolis is demanding a ransom of 100 bitcoin, which is currently worth approximately $73,000 USD. In exchange for that ransom, decryption keys are provided that can automatically un-encrypt the computers and return them back to normal.
According to Saolis, 2,112 of the 8,656 computers in the Municipal Transportation Agencies’ network are infected. Though as of Sunday night, the ticketing machines were functioning again, which suggests that SFMTA may be solving the problem on its own.
If an organization has proper measures in place (most importantly, backups), it can avoid paying the ransom and restore the computers on their own with little to no data loss. Ransomware distributors often impose a deadline to force victims into action.
If SFMTA is going to pay the ransom, which security companies discourage, it may not have much time left. Saolis wrote: “we are waiting one more day for “we are waiting one more day for deal and after it this email closing for security reason!” (which would be Monday). In another email, Saolis wrote “many ppl and news agency send email and question, it’s boring, i want to close this email!”
Apparently, he is not appreciating the coverage.
SFMTA is a government agency, which raises questions about whether it could even use funds to pay the ransom if it wanted to. According to SFMTA’s budget, it brings in an average of $559,000 per day in ticket fares, so whatever it does, it will want to get this sorted out quickly.