The San Francisco Municipal Transport Agency said by Sunday it had contained a ransomware attack that occurred Friday which impacted its internal computer and payment systems. The public transit system is facing new, unsubstantiated claims on Monday however that the group responsible for launching the attack is holding hostage 30GB of the agency’s data.

“On Nov. 25, the SFMTA was a victim of a ransomware attack,” a statement issued Sunday by the San Francisco Municipal Transport Agency (SFMTA) reads, “The situation is now contained, and we have prioritized restoring our systems to be fully operational.”

Hackers managed to disable its payment system as part of the attack, according to the SFMTA. A report filed Sunday with the San Francisco Examiner said that attackers were demanding 100 bitcoins, roughly $73,000, to restore the computer system. Over the weekend a message – “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27[@]yandex.com)ID:681 ,Enter” – was displayed on the screens of some SFMTA systems.

In an email exchange on Monday, attackers claiming responsibility for the SFMTA hack told Threatpost that if the transit system doesn’t contact them, they will release 30GB of sensitive data, including databases and employee information.

In an email exchange the attacker wrote:

“We Don’t live in USA but I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!”

The attackers said they would only release the SFMTA data if the agency didn’t contact them or neglected to fix “the vulnerability.”

Paul Rose, a San Francisco Municipal Transportation Agency spokesperson told Threatpost in a statement that the attackers’ allegations are false and that no customer privacy or transaction information was compromised.

“We have never considered paying ransom and don’t intend to. The attack did not penetrate our firewalls and we are able to restore systems through the work of internal staff,” Rose said.

He added that transit service, like bus, streetcar and cable cars service, were never impacted and rider safety was never at risk. The SFMTA made the decision to open the fare gates for customers as a “precaution to minimize any possible impacts to customers making transactions,” Rose said. He declined to comment further citing an ongoing investigation.

Security experts are skeptical that attackers are in possession of any exfiltrated SFMTA data and suggest the claim is simply a ploy to keep the heat on the SFMTA to pay something.

“It’s all about the money. If the transit system has its system back online, then the attackers are going to try to get money out of them another way, such as threatening to release data,” said Matthew Gardiner, cybersecurity strategist at Mimecast.

“I haven’t seen any indication that they have taken data,” said Javvad Malik, security advocate at AlienVault. “In the absence of being able to provide any data samples we are forced to take the attackers’ word. And given the ethics of the people we are talking about I’m highly skeptical.”

The attackers purportedly used the ransomware HDDCryptor, also known as Mamba, to carry out the attack. The ransomware is unique, in the sense that it encrypts a target’s hard drive rather than individual files. A researcher at Morphus Labs told Threatpost in September that once Mamba infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.

The attack against the SFMTA infected 2,112 of 8,565 computers owned by the SFMTA, according to San Francisco Examiner. According to reports by the Examiner the attack impacted not only the payment system, but also the scheduling and email systems.

“It’s always concerning when a cyberattack has operational impact on the physical world. That’s something that is happening more in recent years and something we need to be paying more attention to,” said Tim Erlin, senior director of IT risk and security strategy at Tripwire.

Erlin said large municipal transit systems are used to dealing with outages from a wide variety of circumstances.

“They are often not malicious computer attacks. In this case the SFMTA had systems in place that allow them to quickly return to normal under a variety of different circumstances including this type of significant interruption to its computer systems,” he said.

While the risk to passenger safety was never an issue in this attack, Erlin said he expects an increase in the number of cyberattacks that impact the physical world.

“We are inching closer to cyberattacks actually jeopardizing human safety,” he said Monday.

Over the past year there have been several warning of cyberattacks impacting physical safety. St. Jude Medical is facing fresh allegations its heart implant devices are vulnerable to cyberattacks. In July, Cyber Risk Management published a report which warned that hospitals are prime targets for hackers who see internet-connected healthcare equipment as low-hanging fruit whether it’s making a quick buck by stealing medical records or carrying out a ransomware attack on life-saving healthcare equipment.

Categories: Critical Infrastructure, Cryptography, Hacks, Malware

Comments (2)

  1. GM
    1

    what? How does the attack not ‘penetrate the firewall’ but somehow compromises the payment system, the email system, and a scheduling system? Are these things outside the firewall?! Also, how would they know if customer info was accessed considering the machines the hacker opines to have gotten data from were then cryptolocked, so no chance of reading metadata to determine what may have been accessed. Sounds like total denial so far, we’ll see what they say if whoever did this actually drops the data. I’m guessing the “we’re investigating and can’t talk more” response.

    Reply
    • woody188
      2

      Ransomware is often delivered via email but may have been stopped from contacting a C2 server hence that claim. I believe Mamba is an offline style ransomware hence the email contact versus a tor/onion url.

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>