Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Office admin systems derailed by malware

Updated Hard-drive-scrambling ransomware infected hundreds of computers at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data, The Register has learned.

Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.

A variant of the HDDCryptor malware menaced as many as 2,112 computers within the San Francisco Municipal Transportation Agency, the ransomware's masters claimed in email correspondence seen by El Reg.

These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. We told that the worm-like malware automatically attacked the agency's network, and was able to reach the organization's domain controller and attack network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency's network.

After vulnerable computers were infected and their storage scrambled, they were rebooted by the malware and, rather than start their operating system, they instead displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601."

HDDCryptor and its cousins encrypt local hard drives and network-shared files using randomly generated keys and then overwrite the hard disks' MBRs, where possible, to prevent systems from booting up properly. A machine is typically infected by an employee accidentally opening a booby-trapped executable in an email or download, and then the contagion spreads out across the network.

When the 100-bitcoin ransom – right now about $73k – is paid, the crooks supposedly hand over a master decryption key to restore the ciphered drives and files. A bitcoin wallet into which the transit agency is expected to pay remains empty.

The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay. The crooks said they will give Muni officials another day or so to get in touch before walking away. They also offered to decrypt one machine for one bitcoin to prove restoration is possible.

The crims further claimed they had exfiltrated 30GB of internal documents, databases and employee files from the compromised network, and have threatened to leak the information if the ransom is not paid.

"Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 servers/PCs [were] infected by software," the ransomware's masterminds said in a statement on Sunday via email. "So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we [will] close this email [account] tomorrow."

You've been hacked ... Message left on a PC screen at a San Francisco Muni kiosk on Saturday (Photo by Colin Heilbut)

Buses and the underground-overground Muni rail system continue to run. The Muni's turnstiles were left open from Friday night, though, allowing people to travel for free. Ticketing systems were halted with "out of service" messages in the wake of the infection.

"We can confirm a cyber attack," the transit agency's spokesman Paul Rose told The Register.

"We opened the fare gates on Friday and Saturday as a precaution to minimize any possible impacts to customers. There has been no impact to transit service, to our safety systems or to our customer's personal information. The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point."

The Department of Homeland Security and the FBI are also now helping the transport agency with the case, we're told.

On the subject of the 30GB of documents allegedly swiped by the ransomware hackers, Rose added: "Based on information we have, and in conference with the Department of Homeland Security, we believe they do not have access to critical data files."

San Francisco's public transit system joins the ranks of hospitals, businesses, police stations and other organizations hit by ransomware. Some cough up cash to the extortionists who spread the file-encrypting software nasties, some don't. Meanwhile, Cisco-owned Talos has an open-source tool for protecting MBRs from ransomware and other malware. ®

Updated to add

Muni officials said on Monday that "the primary impact of the attack was to approximately 900 office computers."

"The SFMTA has never considered paying the ransom," added agency spokeswoman Kristen Holland.

"We have an information technology team in place that can restore our systems, and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two."

According to Holland, "the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked." No data was lifted by the extortionists either, we're told.

"Upon discovering the malware, we immediately contacted the Department of Homeland Security (DHS) to identify and contain the virus. We are working closely with the FBI and DHS on this matter," Holland continued.

Meanwhile, also on Monday, apparently someone was able to hijack the ransomware crooks' email account by guessing the answer to its security question.

It is also believed the hacker broke into the SFMTA network by exploiting an Apache Commons Collections Deserialization Vulnerability present in tons of software, including Oracle's WebLogic Server. The exact route of entry is not known for sure.

Hat tip: Thanks to computer security researcher Mike Grover for his help with this article.


Biting the hand that feeds IT © 1998–2017