Euro Security Watch with Mathew J. Schwartz

Incident & Breach Response , Managed Detection & Response (MDR) , Next-Generation Technologies & Secure Development

San Francisco's Muni Vows: We Won't Pay Bitcoin Ransom

DHS Ransomware Investigation Finds No Critical Data Compromised
San Francisco's Muni Vows: We Won't Pay Bitcoin Ransom
Muni fare gates at the Civic Center. Credit: Eric Fischer (Flickr/CC)

Score one for preparation. In the wake of a ransomware attack that infected 900 systems used by the San Francisco Municipal Transportation Agency - better known as Muni - the agency has vowed to not give the attacker a single bitcoin of his 100 bitcoin ransom demand.

See Also: 5 Requirements for Modern DLP

"We have never considered paying the ransom," Muni spokesman Paul Rose tells me. "We have a IT team that can fully recover our systems, and they are doing that."

The ransomware infection unfolded over the Thanksgiving weekend, as Muni systems suffered a HDDCryptor malware - a.k.a. Mamba - infection. Muni says that no customer or transaction information was compromised in the attacks, although payment kiosks were disrupted. As a result, on Nov. 25 and Nov. 26, Muni opted to open the fare gates in the subway, thus allowing people to ride for free.

A friend who lives in San Francisco tells me: "Muni metro was hosed because they have no mechanism to take cash fares in the metro if those machines are down."

By Nov. 27, however, the majority of the fare-taking machines had been restored, although Muni says related clean-up efforts remain underway. Based on Muni's operating budget, it stood to lose more than $500,000 for every day that it couldn't collect fares.

Locked workstations had displayed a black screen with a simple message: "You Hacked, ALL Data Encrypted." The message also included an email address to contact to obtain a decryption key.

I reached out to that email address and heard back from one "Andy Saolis," a pseudonym that security researchers say has long been associated with a gang that launches HDDCryptor attacks.

Saolis told me that Muni had been a random victim, and claimed that the attack had infected 2,000 systems - more than Muni has acknowledged - including every single Muni payment kiosk. While he declined to share personal details, he noted that he's not based in the United States.

While not shying away from the fact that he's looking to make a quick buck - that is, after all, the modus operandi behind nearly every last ransomware attack in the world - Saolis has also attempted to frame his group's efforts in a Robin Hood-esque light, saying that Muni was lucky it was the victim of his random attack. He also shared the address of a bitcoin wallet and said that anyone who appreciated his group's efforts should donate to the cause.

"If some hacker try to hack your transportation infrastructure target-based, it's have more impact!" he told me.

Saolis also threatened to dump "publish 30G databases and documents include contracts, employees data, LLD Plans, [and] customers" information unless Muni paid the 100-bitcoin ransom, which would currently be worth about $73,000.

"Sorry for my English anyway ;)" he added.

No Critical Data Compromised

Muni has dismissed the ransomware gang's threat to dump data. "Based on internal information and in conference with the Department of Homeland Security, they do not have access to critical data files," Rose tells me.

Rose also says that email and payroll systems weren't affected by the ransomware infections. "Access to payroll timekeeping was, but we manually kept time for employees," he says.

As that suggests, even well-prepared organizations require time to clean up from a ransomware infection, including restoring affected systems and in this case manually entering time cards into time-keeping systems. But not paying off attackers is the right thing to do, whenever possible, because it avoids incentivizing attackers to continue their efforts, or funding cybercriminals' ransomware research and development efforts.

Rare Public Transport Ransomware Strike

The Muni ransomware infection is unusual. In January, attackers hacked into Dallas Area Rapid Transit computers, apparently obtaining access to customer communications and business processing tools, NBC's Dallas affiliate reported at the time. The hack affected trip-planning tools as well as message boards at railway platforms, it added.

But this appears to be the first known case of ransomware infecting a public transit agency, Ed Cabrera, chief cybersecurity officer with anti-virus firm Trend Micro, tells The Wall Street Journal. "I haven't seen another ransomware attack against another transportation entity," he says.

Of course with the number of ransomware families now exceeding 200 - by some counts - and those attack tools being used by an even greater number of cybercrime gangs, it was only a matter of time until attackers such as the HDDCryptor gang managed to randomly infect an agency such as Muni.

Internet-Connected Risks

One bigger-picture takeaway from the attacks is that any internet-connected system can - and likely will - be hacked, so organizations must be prepared, as Muni was.

"Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the internet," Bruce Schneier, CTO of IBM's Resilient Systems, says in a blog post.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.