Criminals have been causing much grief with ransomware, whether knocking out businesses or entire hospitals with their infections. San Francisco’s transport system is the latest to suffer. This weekend, previously-known PC ransomware found its way onto computers at the Municipal Transportation Agency, hitting the city’s light rail system, the Muni. The hackers reportedly demanded 100 Bitcoin, worth roughly $70,000, to release Muni machines from their control though it’s unlikely they’ll ever get paid as the network was back online as of this morning.
On Saturday, the hackers left a brief message on Muni ticketing systems: “You Hacked, ALL Data Encrypted.” They went on to explain in broken English that their attacks weren’t targeted, indicating the Muni was hit in a so-called “spray and pray” attack, according to reports. “We don’t attention to interview and propagate news! Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don’t want deal! So we close this email tomorrow!”
— San Francisco CA (@SF_CA_RR) November 28, 2016
But rather than shut down the network, the attack simply led to machines being turned off and passengers allowed to grab free rides. Muni’s systems also appear to have been cleaned of infection as of today.
“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” Muni spokesperson Paul Rose told media. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”
Who are the hackers?
The extortionists behind the hack have a long history in demanding ransom from web users. They use the address Cryptom27@yandex.com, telling victims that if they wanted access to their data they needed to pay for an encryption key.
One victim who’d been targeted by the same mail address wrote on Bleeping Computer that they’d discovered the malware in use was HDDCryptor. Bleeping Computer and security firm Trend Micro both noted a surge in activity from that ransomware variant from August onwards.
“HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises,” Trend Micro researchers Stephen Hilt and William Gamazo Sanchez wrote in a blog post.
“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals.”
Different email addresses have been attached to HDDCryptor ransomware messages, however, which could indicate numerous criminals have access to the malware or that one group is using multiple addresses to cover their tracks. Whoever they are, they’re succeeding in causing disruption and forcing victims to hand over ransoms. In September, one of the malware operators, using the email address firstname.lastname@example.org, had acquired four payments of between $600 and $700.
Source: SANS ISC SecNewsFeed @ November 28, 2016 at 07:03AM