Focusing on the most critical systems first, the agency responsible for MUNI says IT teams are in the middle of their BC/DR process this morning. The IT staff jumped into action after a ransomware attack forced some systems offline during the Thanksgiving holiday weekend. The agency also says that claims of data exfiltration by the attacker are false.
In a blog post on Monday, SFMTA spokesperson Kristen Holland says that office computers are being restored following a ransomware attack over the weekend. The attack started on Friday and resulted in free rides for light rail passengers, as MUNI turned those systems off in order to limit customer impact.
The attack leveraged hard drive encrypting malware that targets a disk’s boot record, meaning that recovery often centers on re-imaging the systems and then recovering data form backups. The process is slow-going, but not impossible.
As such, SFMTA IT teams have been working over the weekend, and are expected to complete the recovery process within the next day or two.
“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing,” Holland said in a blog post on the SFMTA website.
“Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”
The post also disputed claims made by the attacker on Monday that 30GBs of data was compromised during the attack.
In an email, which was published by Salted Hash, the person maintaining Yandex account used during the ransomware attack threatened to release the data, including contracts, employee data, LLD Plans, and more.
“The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports - no data was accessed from any of our servers,” Holland wrote.
As mentioned in Sunday’s report, the malware used in the MUNI attack is a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares.
It’s possible the attacker’s email account was compromised. Brian Krebs is reporting that someone compromised the attacker's primary email account this morning, as well as a secondary email account liked to it, by guessing password recovery questions.
Based on the emails in the compromised account, the person(s) responsible for the SFMTA attack earned more than $140,000 USD since August from ransom payments after using the same hard drive encrypting malware.