The hacker behind the weekend’s ransomware attack on San Francisco’s Municipal Transportation Agency have had their own emails and servers compromised in the last 24 hours, exposing their criminal operation. And they may have been hacked by two vigilantes working separately.
One of the hackers contacted FORBES after your reporter sent an email to the Cryptom27@yandex.com address, the same used in the compromise of Muni light rail systems when the attacker demanded $70,000 in Bitcoin to free the ticket machines and SFMTA computers from their control. The source claimed to have breached the Cryptom27 account and informed the FBI. As further proof, beyond responding from a separate personal address to the mail I’d sent to Cryptom27, the anonymous leaker provided screenshots showing my own messages from yesterday.
They then offered further examples of email within the account, in which the ransomware pusher bartered with victims over how much Bitcoin they needed to pay to decrypt data locked up by the hacker. One victim said they would only pay 0.5 Bitcoin to unlock one PC, not 10 Bitcoin as Cryptom27 initially asked for. The hacker returned with an improved offer of 1 Bitcoin on which they agreed.
“This guy has been doing ransomware since August,” the source said. “There are many hacked people.” They said they were able to get into the account because the user had opted for guessable password reset questions, the answers for which were in English. “I reset the password within three tries of the answer,” the source added.
One screenshot indicated the hacker had started their ransomware campaign back in August against Chinese users. In one email, a Chinese victim complained they didn’t have any Bitcoin to pay the ransom, asking the hacker what broker they should use to acquire some of the digital currency. Another showed confirmation of Cryptom27 receiving 10 Bitcoin (worth around $7,320). According to the Blockchain, that Bitcoin account helped shift 12.5924 Bitcoin ($9,215) with four other accounts to a single wallet. As of today, that wallet had received 37.5924 Bitcoin ($27,510) in total, with all transactions occurring in the last two days. (Keep in mind, though there’s a link to criminal activity, there’s no definitive proof those proceeds came from ransomware escapades).
The source said other accounts were connected with the original email account. One was email@example.com, which they claimed also to have compromised, though failed to provide evidence.
The source also claimed not to be linked to another breach of Cryptom27′s email, as reported today by independent journalist Brian Krebs. Emails passed to Krebs from his separate source showed the extortionist focused their attentions largely on the U.S. construction industry. In one case, the victim coughed up 63 Bitcoins ($45,000).
Krebs was also able to acquire files from the ransomware pusher’s attack server. Looking at those files, it was evident the server was controlled “almost exclusively from internet addresses in Iran.” User account names included Alireza and Mokhi. The former, Krebs surmised, may have been a portmanteau of Ali Reza, a descendant of prophet Muhammad and a common name amongst Iranians and Turks.
FORBES’ source said it was unlikely the hackers were Iranian, though did not provide any proof as to why they’d likely be based in the U.S., as they’d suggested.
Muni attack not so profitable
The hackers have made substantial profit since August. Based on the combined data from Krebs and the Bitcoin accounts linked to the hackers, FORBES estimates the ransomware crew has made well above $100,000 in less than four months.
They’ve pushed malware known as HDDCryptor in earnest from the end of summer onwards. HDDCryptor locks up files across an individual’s or enterprise’s network with strong encryption, using DiskCryptor, an open source disk encryption software, according to security firm Trend Micro. That tool also overwrites the Master Boot Record (MBR) so that when the computer turned on, a ransom note appears rather than the normal login portal.
But they were not successful in forcing the San Francisco Municipal Transportation Agency to pay up. Indeed, the organization has completely cleaned up the infection, according to a blog post in which spokesperson Kristen Holland said, “no data was accessed from any of our servers.” That would indicate the hackers’ brag they had at least 30GB of documents to leak was a fib. Backing up data worked a charm this time.
“The primary impact of the attack was to approximately 900 office computers. The SFMTA’s payroll system remained operational, but access to it was temporarily affected. There will be no impact to employees’ pay,” Holland added. “Upon discovering the malware, we immediately contacted the Department of Homeland Security (DHS) to identify and contain the virus. We are working closely with the FBI and DHS on this matter.
“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 07:57AM