Blog | Vade

San Francisco MUNI Ransomware: Phishing attack?

Written by Adrien Gendre | November 29, 2016

Ransomware software was used Thanksgiving weekend in a massive attack against San Francisco’s Municipal Transportation Agency (SFMTA). The hard-drive-scrambling ransomware affected more than 2,000 systems including workstations, servers, and ticket machines all across the city’s light-rail system (MUNI).

The Attack

The San Francisco MUNI ransomware attack left a message on ticketing systems that said: “You Hacked, ALL Data encrypted.” Their message continued in broken English explaining that their attacks weren’t specifically targeted, but that SFMTA’s systems had been left open, and that they are looking for any responsible person from SFMTA to contact them regarding the ransom. The ransom? Hackers were demanding 100 Bitcoin equaling roughly $70,000 to release the system data.

Hackers demanded 100 Bitcoin, or about $70,000, to release the encrypted data.

Unfortunately for the hackers, the attack did not go as intended. SF MUNI responded by turning off ticket machines and opening the gates to customers in order to not interrupt service. In addition, it seems that the infection was quickly resolved by SFMTA’s IT team, so the hackers never got their payout. Of course, MUNI did lose a day’s worth of fares on a busy holiday. With over 240 million riders paying over $204 million in fares every year, this could have totaled as much as $558,000 in lost revenues… or even more with all the additional riders in town for the holiday weekend.

A variant of the HDDCryptor malware was able to infiltrate SFMTA’s network, infecting 2,000 systems.

Through further investigation, it seems that the software used was a variant of the HDDCryptor malware. The ransomware automatically attacked the agency’s network and was then able to reach the organization’s domain controller and compromise a significant number of network attached Window’s systems.

The Probable Vector? Email

While we don’t yet have any hard evidence, this was likely an email-borne attack. Probably a standard mass phishing attack rather than a spear phishing attack given the supposedly random modus-operandi of the operators.

93% of hacking attacks include a phishing component.

Although SFMTA is not providing additional details about the attack, this is likely what happened:

An employee unknowingly opened a malicious email that contained the malware as an attachment or (more likely) clicked on a phishing URL and suffered a “drive-by” infection or was induced to download and run the file that they found on the phishing website. The worst part, is that the employee probably didn’t even know it happened.

Although having a major municipal department paralyzed in this way is frustrating, it shouldn’t be surprising… 93% of hacking attacks including a phishing component. And standard security systems are helpless to stop most sophisticated email security threats.

Are you ready to stop ransomware and other malware before it disrupts your network? The best malware protection is protection that addresses the single biggest vector of malware: email.

Find out more about Vade complete malware protection or contact us to get started.