Ransomware attacks have been on the rise in the last few years, however, hackers mostly targeted private companies and encrypting their data so that they can ask a for a ransom to decrypt it. Now, it seems that hackers have decided to attack the San Francisco transit system using the malware software.
Businesses and private companies are mostly the only targets for those who use ransomware to make money. The data that the malware encrypts can be essential to a company’s affairs and not being able to access it even for a short time might lead to massive losses. For this reason, the companies were more likely to pay out the ransom rather than wait for a proper investigation into the hack.
However, it seems that some thought that hacking the public transportation in San Francisco which a lot of people depend on, will provide authorities with the same incentive to quickly pay the ransom. SF’s transit system known as Muni was attacked since Friday. Computer screen at various stations had the following message “You Hacked, ALL Data Encrypted” with the contact information of cryptom27 at yandex.com, the one who is able to unlock the data for $73,000.
The hack on the railway network led to various fare payment machines at various stations to say that they are out of service. As such, it enabled free rides on the system’s light-rail vehicles because it wasn’t able to charge the customers. Fortunately, this did not disrupt the transit service over the Thanksgiving weekend.
Regarding the ransomware itself, experts believe to be a variant of HDDCryptor. The malware uses commercial tools to encrypt both hard drives as well as network shares such as various drivers, folders and files, printers and even serial portal with the Server Message Block.
According to local reports, by Sunday the computer systems of San Francisco’s transit system were restored. The investigation into how the attack was made possible is still ongoing. At this point, it’s unclear whether Muni officials were able to unlock the data through other measures or if they just decided to pay out the ransom. However, it seems that the bitcoin wallet meant for the ransom was still empty when it last checked, meaning that the authorities must have restored access to the network through other means.