Ransomware Used Against Muni Known As Harsh, Virulent

Fare collection systems, email and other critical systems used by San Francisco's transit agency were crippled by an outbreak of ransomware over the weekend, the agency confirmed. (Image courtesy of SFMTA.)
Fare collection systems, email and other critical systems used by San Francisco’s transit agency were crippled by an outbreak of ransomware over the weekend, the agency confirmed. (Image courtesy of SFMTA.)

San Francisco’s Municipal Transportation Agency (MTA) was hit with a ransomware attack over the weekend, disrupting a number of agency computer systems including email, the MTA said in a statement on Sunday. And security experts say that the ransomware used has a reputation for virulence.

Computer terminals observed at MTA (or “Muni”) stations displayed a message that read, in part, “You Hacked. All Data Encrypted” over the weekend, paralyzing toll collection operations and forcing the MTA to open its turnstiles and let the public ride for free. According to a report by The San Francisco Examiner claims that the ransomware thieves have infected more than 2,000 of the agency’s 8,000 computers, affecting not only fare collection, but also systems that assign routes to bus drivers. The thieves are demanding $73,000 in ransom, paid in bitcoin.

In a statement on Sunday, San Francisco MTA said that the attack “disrupted some of our internal computer systems including email,” but that “transit service was unaffected and there were no impacts to the safe operation of buses and Muni Metro. Neither customer privacy nor transaction information were compromised.” The situation “is not contained,” SFMTA said.

Based on a description of the infected computer terminals, the ransomware appears to be HDDCryptor, a common ransomware variant also known as “Mamba” that has been circulating for almost a year. An analysis by experts at Trend Micro describe it as a particularly virulent variety of ransomware that infects the master boot record (or MBR) on infected computers, locking the entire contents of a hard drive until ransom is paid. Also, HDDCryptor is capable of spreading quickly on networks. Once installed, it maps out any networked computers, servers or external drives connected to an infected system and attacks “resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB).” Trend described the malware as a “very serious and credible threat not only to home users but also to enterprises.”

Organizations like the MTA are highly vulnerable to such malware, which often jumps onto vulnerable networks after users visit a malicious website or open a malicious file attachment. For example, some web sites push ransomware as phony Adobe Flash updates that are needed to view web-based video.

Once installed, HDDCryptor scans a computer for all mapped drives and encrypts any files it finds on them. It scans for any previously accessed network folder and encryptos those it can still access, as well.

San Francisco MTA has assured customers that their data was not affected in the breach and reports by local media suggests that the MTA is recovering from the attack without paying the ransom. Notably: fare collection systems came back online Sunday. However, reports from the SF Examiner and others on Monday claims of much broader data theft by an individual using the name “Andy Saolis,” who says he is responsible for the hack.

According to those reports, the initial compromise of SFMTA came by way of a Windows 2000 PC server at the SFMTA with links to “all payment kiosk and internal automation and Email.” The hacker claimed to possess “30 gigabytes worth of contracts, employee data…customer data, and more,” which would be released to the public if the ransom was not paid

The SFMTA’s deadline to pay the ransom by Friday, an apparent deadline extension from Monday (Nov. 28th), the original deadline to pay the ransom. A list of other systems affected by the attack include Muni “CCTVS,” an apparent reference to the agency’s closed circuit TV surveillance cameras, human resources systems and a computer named “DATSERVICES,” The Examiner said.

[Read more Security Ledger coverage of ransomware.]

The incident is just the latest in which ransomware has affected the operation of what is generally considered “critical infrastructure.” There have been a number of infections of ransomware that have crippled hospital systems including an attack on Presbyterian Medical Center in Los Angeles. Local police departments and government agencies have been targeted and, in some cases, have been forced to pay ransom to retrieve encrypted files.

A report from Cisco Systems found that ransomware infections were a growing problem in the first half of 2016 due, in part, to the rise of the BitCoin crypto currency, which has allowed the ransomware industry to flourish by permitting anonymous payments to ransomware scammers. Anonymizing tools and technologies like the Tor network have also allowed the scams to operate anonymously, Cisco found. Other firms have noted a jump in ransomware attacks going back years.

Lax maintenance of application servers and other Internet infrastructure is a major contributor to successful online attacks, including ransomware, Cisco said.

“Hackers have the advantage, and they are using that imbalance to extort many millions of dollars from the ill-prepared,” said Justin Fier, director of cyber intelligence and analysis, Darktrace in an email statement.

Early detection is critical in stopping such attacks and preventing victims from being in a position where ransom must be paid. “Defenders of critical infrastructure and data cannot afford to wait any longer in modernizing their systems and implementing self-learning methods to catch threats while they are active internally. Don’t expect to catch them as they walk through the gate,” he said.



  1. ok, so the FIRST problem is a Windows 2000 end of life server in use!! what do they expect?