Ransomware attack temporarily freed public transport in San Francisco

A ransomware infection made the computer systems of one of San Francisco’s public transport companies, the Sfmta, unusable. The company made the decision to give travelers free access to the metro.

The Register claims to have correspondence from the criminals behind the attack and reports that a total of 2,122 systems were infected with the HDDCryptor ransomware. For decryption of the files, the attackers wanted an amount of 100 bitcoins, which is about 68,500 euros. It would be an untargeted attack, in which desktops, servers and ticket machines, among other things, were affected because the domain controller was infected. The criminals complained that no one from the Sfmta had contacted or paid the amount, the site writes.

The San Francisco Chronicle reports that the ticket machines were out of order Friday evening and Saturday and that the systems are now working again. A spokesperson said there were “no impact on the transportation system, security system or passenger data.” It is not clear whether the transport company paid the ransom or whether, for example, a recovery attempt was made on the basis of backups. CSO Online lists the attackers’ bitcoin address; at the moment there are no payments visible there.

In an analysis of HDDCryptor, security firm Trend Micro previously wrote that this ransomware variant can be spread by a malicious executable file, after which the malware not only encrypts system files but also searches for accessible network locations. For encryption, the malware uses an open source tool called DiskCryptor.

According to the carrier’s spokesperson, this was the first ransomware attack on their systems. Earlier this year, another attack hit a US hospital in California with ransomware, after which it paid 40 bitcoins to get its files back. Converted that then came down to about 15,000 euros.