Passengers ride free on SF Muni subway after ransomware hits 2,100 systems, demands $73k

Workstations, servers, price ticket machines derailed by means of malware
Exhausting-drive-scrambling ransomware inflamed greater than 2,000 techniques at San Francisco’s public transit company on Friday and demanded 100 bitcoins to liberate knowledge, The Check in has realized.
Price ticket machines have been close down and passengers have been allowed to ride the Muni light-rail gadget for free on Saturday – a hectic post-Thanksgiving buying groceries day for the town – whilst IT staff scrambled to wash up the mess.

A variant of the HDDCryptor malware hit 2,112 computer systems inside the San Francisco Municipal Transportation Company, in line with correspondence with the ransomware’s masters observed by means of El Reg.
Those techniques seem to incorporate place of job admin desktops, CAD workstations, e mail and print servers, worker laptops, payroll techniques, SQL databases, misplaced and located belongings terminals, and station kiosk PCs.
It sounds as if the malware used to be in a position to succeed in the company’s area controller and compromise network-attached Home windows techniques.

There are kind of 8,500 PCs, Macs and different packing containers on the company’s community.
After the prone computer systems have been inflamed and their garage scrambled, they have been rebooted by means of malware and, moderately than get started their running gadget, they as an alternative displayed the message: “You Hacked, ALL Knowledge Encrypted, Touch For Key ([email protected]) ID:601.”
HDDCryptor and its cousins encrypt native exhausting drives and network-shared recordsdata the use of randomly generated keys after which overwrite the exhausting disks’ MBRs, the place imaginable, to stop techniques from booting up correctly.

A system is generally inflamed by means of an worker by chance opening a booby-trapped executable in an e mail or obtain, after which the an infection spreads out around the community.
When the 100 bitcoin ransom – presently about $73ok – is paid, the crooks supposedly quit the decryption keys to revive the ciphered drives and recordsdata.

A bitcoin pockets into which the transit company is anticipated to pay stays empty.
You may have been hacked … Message left on a PC display at a San Francisco Muni kiosk on Saturday (Photograph by means of Colin Heilbut)

Buses and the underground-overground Muni rail gadget proceed to run.

The Muni’s turnstiles have been left open from Friday evening, even though, permitting other people to go back and forth for free.

Ticketing techniques have been halted with “out of carrier” messages within the wake of the an infection.
“There’s no have an effect on to the transit carrier, however we have now opened the fare gates as a precaution to attenuate buyer have an effect on,” the transit company’s spokesman Paul Rose stated on Saturday. “As a result of that is an ongoing investigation it might no longer be suitable to offer further main points at this level.”
San Francisco’s public transit gadget joins the ranks of hospitals, companies, police stations and different organizations hit by means of ransomware.
Some cough up money to the extortionists who unfold the file-encrypting instrument nasties, some do not. In the meantime, Cisco-owned Talos has an open-source instrument for safeguarding MBRs from ransomware and different malware. ®
Hat tip: Because of laptop safety researcher Mike Grover for his lend a hand with this newsletter.
Subsidized: Buyer Identification and Get right of entry to Control