A San Francisco Transport System ransomware attack occurred this weekend that resulted computers used by the city’s light rail system being encrypted. The attackers demanded a 100 Bitcoin ($70,000) ransom to supply the key to unlock the encryption.
A statement released by the San Francisco Municipal Transportation Agency (SFMTA) confirmed that while the attack resulted in computer systems being taken out of action, transport was unaffected. “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact.”
The attack did force SFMTA to allow passengers to travel free of charge during the attack, but all data have now been restored and it appears the ransom was not paid. The computer system has now been brought back online.
The actors behind the San Francisco Transport System ransomware attack claim the infection was not the result of a targeted attack. The systems put in place to spread the ransomware are automatic. The actors only become involved when the ransomware is installed.
According to Forbes, the attackers briefly displayed messages on the ticketing systems prior to the computers being shut down. The attackers claimed it was a “spray and pray” attack. Ransomware was installed as a result of poor security controls at SFMTA. The attackers said “SFMTA network was Very Open and 2000 Server/PC infected by software!”
The broken English suggests the attackers are of foreign origin. The attack is likely to have originated outside the United States.
SFMTA has not released further details on the attack as the investigation is ongoing. However, another victim of a ransomware attack by the same individuals suggests the ransomware variant used was HDDCryptor. HDDCryptor is a particularly nasty ransomware variant that encrypts files and disables printers and serial ports via Server Message Block (SMB). The ransomware also locks the hard drive on the attacked computer and networked drives.
Recovering from ransomware attacks without paying the ransom demand is dependent on an organization’s ability to recover encrypted files from backups. If no viable backup exists, organizations are left with little alternative but to pay the ransom demand. Typically the ransom amount charged for each infected computer is in the region of $300 to $700, although as seen in this attack, the attackers can name their price.