Ride for Free! Hackers Hold SF's MTA's Computer Network Hostage For $73k Ransom
Razer
rayzer at riseup.net
Sun Nov 27 19:56:08 PST 2016
http://hoodline.com/2016/11/hackers-hold-sfmta-s-computer-network-hostage-for-73k-ransom
Muni passengers were treated to free rides for much of the weekend after
a cyber attack on Muni's computer network Friday afternoon left
ticketing kiosks inoperable. But the San Francisco Municipal Transit
Agency looks poised to lose more than a weekend of fares, Hoodline has
learned.
According to the pseudonymous hacker, the agency's computers are being
held ransom for more than $73,000 dollars with only one day left to
pay—and nearly 25 percent of Muni's network has been compromised.
The severity of the attack still remains unknown to the public. However,
documents released by one of the hackers suggest many vital agency
functions have been compromised, including payroll, email servers,
Quickbooks, NextBus operations, various MySQL database servers, staff
training and personal computers for hundreds of employees.
In all, the hackers claim to control 2,112 of SFMTA's 8,656 computer
network.
In a statement released by agency spokesperson Paul Rose, “The incident
remains under investigation, so it wouldn't be appropriate to provide
any additional details at this point.”
The attack, first reported by the Examiner on Saturday (link), left
kiosks across Muni's downtown stations with a message reading, “You
Hacked, ALL Data Encrypted. Contact For Key(cryptom27 at yandex.com)ID:681
,Enter.”
Unable to process fares, Muni left turnstiles open for passengers to
ride freely.Muni's computers have been hijacked using the HDDCryptor
ransomware, which targets Windows machines. Also known as Mamba, the
ransomware encrypts hard drives and requires a password to unlock,
leaving Muni without access.
Reached at the provided email, the hackers, calling themselves “Andy
Saolis,” demanded 100 Bitcoin—the equivalent of more than $73,000—from
San Francisco's transit agency:
if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES
2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For
Your All Server's HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it's Fast way!
The hackers followed up, writing, “say to company owner we are waiting
one more day for deal and after it this email closing for security
reason!” In another email, they declared, “we only encrypt 2000
important server and PC , another systems don't point to us !”
Andy Saolis—a pseudonym commonly used in HDDCryptor ransom attacks—also
provided a list of all 2,112 machines under their control, as well as a
Bitcoin wallet to which the ransom could be paid. So far, no transfer
have been posted to that wallet, but it is likely the hackers provided
different wallets to each email contact to avoid being easily tracked.
SFMTA's backup servers did not appear to be among the thousands of
impacted machines, which could allow the agency to avoid paying the
ransom and restore their computers from previous copies of their system
data. However, depending on how old the backups are, they still could
risk losing critical information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4231 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20161127/514645d9/attachment.txt>
More information about the cypherpunks
mailing list