Ransomware Hits San Francisco’s Public Transportation
A quarter of the SFMTA’s network was infected over the holiday weekend.
Riders of San Francisco’s metro system (SFMTA) were treated to free rides this weekend. But what appeared to be a pleasant holiday surprise, was actually the result of a nasty ransomware infection affecting the train’s ticketing computers, which left no option but to allow free rides while the computer systems were down.
Ransomware has been making headlines for the last few years. It is a type of malware that encrypts files on the infected computer, blocking access to them unless the user pays a ransom in bitcoin (or other untraceable methods). Ransomware has been so effective because it employs social engineering – the term given to attacks which rely on manipulating people – often spreading through phishing emails and documents claiming to be official invoices or bills.
The full extent of the damage to the SFMTA is unclear, but reporting from SF Examiner indicates that the ransomware is throughout its systems. Photographs of station agent computers show they were infected, and on Sunday, drivers were being assigned routes “via handwritten notes posted to bulletin boards, as opposed to the usual computer printouts.” Sources told KPIX 5 that computers handling payroll may also be affected, which could delay employees’ paychecks.
Affected computers displayed the message:
“You Hacked, ALL Data Encrypted. Contact For Key(email@example.com)ID:681 , Enter Key: Missing operating system.”
The San Francisco ransomware, believed to be a strain of HDDCryptor, encrypts the MBR (Master Boot Record) of the computer, a system-critical function, without which, a computer is unable to start properly.
Hoodline.com and The Verge contacted the email address listed in the message. The attacker, going by the name ‘Andy Saolis,’ said:
“We do this for money, nothing else ! i hope it’s help [sic] to company to make secure IT before we coming !”
The exact method of infection is not known, but it looks like it was one of the usual vectors of ransomware, which is usually delivered via phishing sites or emails. A list of infected computers obtained by CSO Online suggests that a staff member’s computer may have been the original entry point.
We do know that the SFMTA was not specifically targeted. Saolis wrote:
“Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software!”
To remove the ransomware and restore functionality, Saolis is demanding a ransom of 100 bitcoin, which is currently worth approximately $73,000 USD. In exchange for that ransom, decryption keys are provided that can automatically un-encrypt the computers and return them back to normal.
According to Saolis, 2,112 of the 8,656 computers in the Municipal Transportation Agencies’ network are infected. Though as of Sunday night, the ticketing machines were functioning again, which suggests that SFMTA may be solving the problem on its own.
If an organization has proper measures in place (most importantly, backups), it can avoid paying the ransom and restore the computers on their own with little to no data loss. Ransomware distributors often impose a deadline to force victims into action.
If SFMTA is going to pay the ransom, which security companies discourage, it may not have much time left. Saolis wrote: “we are waiting one more day for “we are waiting one more day for deal and after it this email closing for security reason!” (which would be Monday). In another email, Saolis wrote “many ppl and news agency send email and question, it’s boring, i want to close this email!”
Apparently, he is not appreciating the coverage.
SFMTA is a government agency, which raises questions about whether it could even use funds to pay the ransom if it wanted to. According to SFMTA’s budget, it brings in an average of $559,000 per day in ticket fares, so whatever it does, it will want to get this sorted out quickly.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown