San Francisco commuters using the Muni railway stations got an unexpected boost to their wallets at the end of last week when payment machines starting reading “out of service”.
Nothing extraordinary in that perhaps except that computer screens at nearby ticket kiosks started displaying a more alarming message suggesting this was no ordinary technical glitch:
“You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.”
In San Francisco, Muni controls public transport including trams, trains and the famous cable cars everyone thinks of when they imagine visiting the city.
The rail system continued to operate but with no ability to take fares, gates were left open, allowing passengers to travel for free.
By the time the disruption had been resolved on Sunday, drivers were apparently still being given their routes in handwritten notes posted to bulletin boards.
At this point we should spare a thought for Muni’s IT staff who must have realised at some point on Friday that they might not be eating much turkey that Thanksgiving weekend.
Clearly, something significant went awry on Muni’s network, but what?
Reporters who contacted the email address mentioned by the screen message were told by someone identifying him or herself as ‘Andy Saolis’ that the attackers wanted a payment of 100 Bitcoins (about $73,000) to provide decryption keys for affected PCs.
The attacker claimed 2,112 Muni computers had been infected with ransomware – about a quarter of its entire installation – including PCs, laptops, and servers holding SQL databases and payroll systems.
The attacker said the malware involved was a variant of the potent if rare HDDcryptor (aka Mamba) ransomware which dates back as to the beginning of the 2016 but which spiked in August.
Normally, ransomware scrambles some or all of the user’s data but leaves the computer operational enough to pay any ransom demanded. As analysed by Sophos in September, Mamba takes things an unpleasant stage further:
“It scrambles every disk sector, including the Master File Table, the operating system, your apps, any shared files and all your personal data, too.”
There is nothing especially sophisticated about this malware, which simply re-purposes widely-available open source software to do its dirty work, but there is no denying its nastiness.
To be clear, none of these claims or details have been verified and, so far, Muni hasn’t yet said anything about the scale or cause of what happened over the weekend.
“There has been no impact to the transit service, to our safety systems or to our customer’s personal information,” Muni told the BBC.
By Sunday the service (if perhaps not the computer network) appeared to be working normally.
To date, ransomware attacks affecting public services have mainly affected the healthcare sector.
If it is confirmed, the Muni Thanksgiving attack will be evidence the MO is spreading to take aim at other services too.