Ransomware forces SFMTA to give free rides, $73,000 demanded by attackers

The trains are running, but the systems maintaining fares and schedules are not

muni subway sanfrancisco

A woman waits for a MUNI train at the Embarcadero station in San Francisco, California.

Credit: REUTERS/Robert Galbraith

On Saturday evening, reports from San Francisco outlined a malware attack causing problems for SFMTA. MUNI riders were given free access after station payment machines and schedule monitors started displaying a “You Hacked” message, warning that all data was encrypted.

Local media and other statements from SFMTA employees say the attack started just prior to the Thanksgiving holiday. CBS 5, a San Francisco affiliate, first broke the news on Saturday, reporting the problems had started a few days earlier.

According to reports from local media and passengers, station screens across the city were displaying the same message, and payment terminals were marked as out of service. Some terminals had a message taped to the screen telling passengers MUNI was free.

Images of the terminals started to spread on social media and Reddit. Passengers in the stations who spoke to the media were unaware that something negative was happening, assuming the free rides were part of a holiday promotion.

“You Hacked. ALL Data Encrypted,” a message delivered by the malware says. The warning is followed by an email address and ID number, which can be used to arrange ransom payments.

The email address used in the SFMTA attack (cryptom27 at yandex .com) has been previously observed in similar attacks, stretching as far back as September 2016. In each case, the victim was shown the same message and assigned a personal ID in order to obtain a decryption key.

The malware is believed to be a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares. Trend Micro covered the malware in a report on September 16 of this year, but Morphus Labs discovered a sample in the wild on September 7, and gave it the name Mamba.

The ransom demanded in cases like this will vary, but people close to the incident at SFMTA say the ransom is 100 BTC, or $73,184 USD with current exchange rates.

Over the weekend, those who emailed the address were told that the attack was automated, and that SFMTA had a “very open” network. The person(s) manning the Yandex address also reported that more than 2,000 systems were impacted.

As of Sunday evening, SFMTA has not confirmed any details concerning the attack, including the number of systems infected, the total ransom demanded, or how the malware entered the network.

Salted Hash has reached out to the agency for comment.

In a statement to CBS 5, Muni spokesperson Paul Rose said there was no impact to transit service, but that fare gates were opened as a precaution in order to “minimize customer impact.”

“Because this is an ongoing investigation it would not be appropriate to provide additional details at this point,” Rose stated.

Again, the number of systems affected by this attack, as well as the ransom amount, are figures being shared by the person(s) claiming responsibility – they have not been fully verified and could change as the investigation moves forward.

Also, it isn’t clear if SFMTA is willing to pay the ransom, but restoring systems could take days, or even weeks, and every free ride has a cost associated with it. With Ransomware, backups are often the key recovery resource, but the attack against SFMTA has targeted the hard drives directly, so replacements will be needed.

Some background on the attack:

Email exchanges with the person claiming responsibility for the SFMTA hack via their Yandex email address has revealed a list of 2,112 systems that were infected.

Some of the earliest infections on that list (LIGHT-DUTY1 & LIGHT-DUTY2) suggest the malware entered the network via systems that are regularly used by staff, before spreading to other systems belonging to office workers. A second list of 8,656 SFMTA systems includes a domain controller for MUNI, which could also explain how the infection was able to spread, but this hasn’t been confirmed.

This second list is a master list of SFMTA systems, so only a fraction of the computers on it have been infected. The reason for this discrepancy isn’t clear.

On November 26, the person(s) responsible for the SFMTA attack received a message asking about ID 601, the number displayed on the infected SFMTA systems.

Assuming they were talking to SFMTA directly, the Yandex account responded immediately. The reply demanded a 100 BTC payment before they’d deliver the decryption key. The email also offered advice on how to obtain the currency.

The first message sent from the Yandex account is shown in part below; it’s presented with no modifications:

if You are Responsible in MUNI-RAILWAY !

All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!

We have 2000 Decryption Key !

Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server's HDD!!

We Only Accept Bitcoin , it’s So easy!

you can use Brokers to exchange your money to BTC ASAP

it's Fast way!

With some prompting, the person(s) responding to emails shared their Bitcoin wallet address, and offered to exchange one Bitcoin for a decryption key to unlock a non-important system in order to prove they had the ability to restore files.

The wallet where SFMTA is to deliver payment is: 1efs45wsKYTbFf1dmfAsGnPnqmJxgpmYp

Subsequent exchanges with the attacker show a person who suddenly gained a lot of attention for their acts and didn’t know how to deal with it: “we received many email from SFMTA! how are you and what’s your position there? (sic)” a message stated.

It isn’t clear how many people were emailing the Yandex address, and their statement isn’t proof that SFMTA has had any contact with their attacker(s).

However, because of the flood of emails to the address, the person responding to messages said the account would be closed on November 27, “for security reason! (sic)” The person answering email on the Yandex account remained silent on Sunday evening, other than to reach out one final time to ask if the person they were originally corresponding with wanted "a deal or not?"

"many ppl and news agancy send email and question , it's boring , i want to close this email ! you must say answare and say your choose clearlly (sic)," the message stated.

Discussing the situation, Beau Woods, Deputy Director of the Cyber Statecraft Initiative at the Atlantic Council, had some observations of his own to share.

“Was the attacker aware he was going after SF MUNI or was it just a random campaign? For Hollywood Presbyterian it was random. I suspect this was too,” Woods said, admitting that he could be wrong in his assessment.

“Combine low hanging fruit like this, with adversaries who want to do harm rather than get money, and there will be real stakes involved. [San Francisco] can afford to lose 100 Bitcoin to low hanging fruit attacks - can they afford to lose 100 lives?" he added, focusing on the seriousness of such attacks against transportation and infrastructure.

This story is developing and will be updated as new information emerges.

Salted Hash would also like to give a hat tip to security researcher Mike Grover for his assistance with this story.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.