Ransomware Hits San Francisco Public Transit System, Asks for $73,000

Ransomware known as HDDCryptor (or Mamba) has infected 2,112 computers belonging to the San Francisco Municipal Railway system (nicknamed Muni).

The infection took place over the weekend and Muni officials had to allow locals to ride the railway system for free after they couldn’t issue tickets.

A quarter of Muni’s computers affected

The San Francisco Examiner reports that 2,112 of Muni’s 8,656 computers were infected, including the institution’s payment and railway scheduling system. The email system was also affected.

Due to the ransomware’s impact officials had to assign routes via handwritten notes posted on bulletin boards.

In some cases, the ransomware message was visible to Muni passengers, as it affected computers showing advertisements, route information, or time schedules. Ticket booths were down all across the city. San Francisco local Colin Heilbut took a snapshot of one of Muni’s infected computers and posted it on Twitter.Another photo also posted on Twitter showed out of service ticket dispensers.

Ransomware encrypts computer’s MBR

The message that appeared on the screen of Muni computers reads: “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

This is the typical message shown by HDDCryptor variants, a type of diskcryptor ransomware that rewrites a computer’s MBR (Master Boot Record) boot sectors and locks users out of their PCs.

This variant, called HDDCryptor or Mamba, appeared at the start of 2016, but continued to make victims all year. Bleeping Computer published an article on the ransomware’s technical capabilities back in September.

About a week after our article, a user reported an HDDCryptor infection on the Bleeping Computer forums that featured the same email address as the one used in the Muni attack.

Ransomware author asking for $73,000

Bleeping Computer reached out to the ransomware author via email but has yet to hear back. Nevertheless, the author had responded to a few media inquiries from local San Francisco newspapers.

Calling himself Andy Saolis, the ransomware author said this was an accidental infection, and that he didn’t specifically target San Francisco’s Muni system.

He also said Muni officials have to pay $73,000 (100 Bitcoin) to gain access back to their computer network.

In a separate answer provided to The Verge, Saolis said he initially infected a computer running Windows Server 2000, from where the ransomware spread.

He also hinted that Muni officials won’t pay the ransom and that he’ll close his email account to avoid further scrutiny.

If Muni officials would decide to pay, they wouldn’t be the first. Back in February, the Hollywood Presbyterian Medical Center agreed to pay $17,000 for a ransomware infection. The attacker initially asked for $3.6 million, after infecting most of the hospital’s computer network. Similarly, the Horry County school district in South Carolina also agreed to pay $8,500 after suffering a similar faith.