Newspapers reported that San Francisco’s Municipal Railway, widely known as Muni, fell victim to a ransomware attack last Friday. The event was witnessed by passengers, as the computer screens in the city’s railway stations were displaying the following message: “You Hacked, ALL Data Encrypted”. It was later revealed that the perpetrator demanded a ransom of $73,000 USD from the transport firm.
As per the Examiner, fare payment machines displayed an “out of service” message. Because of the inability to process fare transactions, Muni was forced to offer free rides. Attempts to reach the San Francisco Municipal Transport Agency for comments on Sunday were unsuccessful.
Researchers believe that the attacking ransomware is a variant of HDDCryptor. This virus conducts sophisticated processes which make its attacks very effective. CSO’s Salted Hash has done extensive research on the ransomware. The analysis revealed that HDDCryptor uses commercial software to encrypt hard drives and network shares.
The security researchers of Trend Micro have also examined the ransomware. The company reported back in September that the virus poses a threat to both private users and enterprises. They explained that it not only “targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive.”
The ransom note instructed the victims to contact cryptom27 at yandex.com. This user is the hacker who holds the decryption key. Salted Hash disclosed the bitcoin wallet the attacker provided in email communications. The ransom money was to be transferred to his account.
The problem with the encrypted fare system was resolved on Sunday. The Examiner reported that the computers at the transit system had started to work properly again. The news item also addressed the demands of the cyber criminal, as the amount of the ransom was revealed.
There is no disclosure on how the issue was handled. The only indication we have at this point is the bitcoin account of the hacker. Up until late Sunday, the wallet was empty. It appears that no payment was made, at least not to the listed account. We can only assume that another solution was found, as ransomware owners do not tend to compromise with the payment method.