Bitcoin ransomware has once again made media headlines, which is never a positive development. The SFMTA was under attack from a malware attack, giving MUNI riders free access to public transportation. All payment terminals on the premises displayed and error message, causing them not to collect payments. Moreover, the displays all showed a warning message indicating computer data had been encrypted.
SFMTA Gets Bested By Bitcoin Ransomware
Whenever public transportation services are affected by ransomware, many different things start to go wrong in quick succession. First of all, the terminals used to collect station payments go out of order, giving everyone free access to public transportation until the matter is resolved. Secondly, the organization has to meet the ransomware demands, which only adds another financial burden upon them.
For the SFMTA employees, the attack began just before Thanksgiving last week. With station screens all across San Francisco showing a message of “hacked system”, a lot of people expressed their concern over what was going on. Then again, they were all able to access services without payment, so most people shrugged off the incident and went ahead with their day-to-day operations.
As it turns out, the SFMTA has been subject to a massive ransomware attack. Early investigation results point towards a strain of HDDCryptor being used, which then went on to encrypt all computers on the network. This malware is also known under the Mamba name, although it remains unclear which of these two was used exactly.
As one would come to expect, the ransomware demand was quite steep. The SFMTA had to pay a sum of 100 Bitcoin, worth over US$73,000 at the time of the attack. Apparently, it appears the attack was rather easy to execute, as the SFMTA has a “very open” network. Not the kind of PR a public transportation service provider needs right now.
For the time being, it remains unclear how the SFMTA will go ahead with this issue. There is no indication they are paying the ransom, but it could take weeks or months to get all systems operational again. Until the matter is resolved, users will continue to access free rides, which will eventually bleed the organization dry. Paying the ransom would be in their best interests, even though it sets a very dangerous precedent for future attacks.
One thing that is rather obvious is how the attack seems to originate in Eastern Europe. The assailants used a Yandex email address, and their English communication skills are rather poor at best. It is also unclear whether or not this was a targeted campaign or just a lucky hit from conducting a global distribution campaign.
Header image courtesy of Shutterstock