San Francisco commuters get free Muni rides thanks to ransomware infection

15462325023_6bea87f2da_h1

San Francisco public transport passengers received a pleasant surprise over the weekend as the city’s Muni network offered free rides as a result of the ticketing network being hijacked by ransomware.

A variant of the HDDCryptor malware hit 2,112 computers within the San Francisco Municipal Transportation Agency, with messages appearing on the screens of ticket machines reading “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681, Enter.”

According to reports, the hacker is demanding a payment of 100 bitcoin ($73,356) to unencrypt the affected computers, which in addition to ticketing machines included office administration desktops, computer-aided design workstations, email and print servers, employee laptops, payroll systems and SQL databases according to The Register.

“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” Muni spokesperson Paul Rose told CBS Local. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

Unlike other forms of ransomware, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers and serial ports via Server Message Block, but also locks the drive in infected, according to security firm Trend Micro. That’s how it spread across so many machines within the Municipal Transportation Agency network.

The attack vector for HDDCryptor is usually via an employee introducing it to the network either through a USB device of by opening an infected attachment in an email. While HDDCryptor can be removed and files restored using specialist security software, manual removal isn’t possible, and in some cases, a full Windows reinstall may be required.

The aggressive nature of the malware also means that all infected systems need to be isolated from the network lest they reinfect the network again. That means it could take days or even weeks to completely purge it from the network — unless the SFMTA decides it would be simpler to pay the ransom and obtains the master decryption key instead.

Image credit: yusamoilov/Flickr/CC by 2.0