11.29.2016

Ransomware Strikes San Francisco Transportation

HDDCryptor variant shuts down ticketing systems


Black Friday was stressful for a lot of people, particularly San Francisco’s Municipal Transportation agency (often abbreviated Muni). An infestation of ransomware took down ticketing systems for Muni’s train stations along with systems used to manage San Franciso’s buses. The malware’s operator demanded 100 bitcoins (about $73,000).

“The malware’s operator demanded 100 bitcoins (about $73,000).”

Effects of the ransomware could be seen on screens in station agents’ booths at Muni train stations, which displayed the message “You Hacked, ALL Data Encrypted.” The message contained an email address which has been tied to variants of both Mamba and HDDCryptor ransomwares.

On Friday and Saturday, train stations’ gates remained open with ticket machines displaying out of order messages. During this time, passengers were allowed to ride for free, and bus drivers were given handwritten route assignments. Most of the system’s functions were restored by Sunday.

In an email exchange, the attacker told Threatpost that they will release about 30GB of sensitive data if the SFMTA did not contact them or fix the vulnerability. Spokesperson Paul Rose told Threatpost that no customer privacy or transaction information was stolen. He stated “We have never considered paying ransom and don’t intend to. The attack did not penetrate our firewalls and we are able to restore systems through the work of internal staff.”
“The attack did not penetrate our firewalls and we are able to restore systems through the work of internal staff.”

Paul Rose added that the transit services (bus, streetcar and cable cars) were never affected, and riders were not at risk. He declined to comment further, citing the ongoing investigation.