Black Friday was a black day for San Francisco’s Municipal Transportation Agency, as an apparent crypto-ransomware infection spread across the Muni system’s networks, taking down ticketing for Muni’s train stations and systems used to manage the city’s buses. The operator of the ransomware demanded $73,000 in exchange for restoration of Muni’s data, according to a report from the San Francisco Examiner.
The malware’s effects were visible on screens in station agents’ booths at multiple Muni train stations, which displayed the message, “You Hacked, ALL Data Encrypted.” The ransom message gave an e-mail address (cryptom27@yandex.com) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.
A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows’ “GetLogicalDrives” volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message.