Passengers Ride Free on San Francisco Subway after Ransomware Attack

Hard-drive-scrambling ransomware menaced more than 2,000 systems at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data.

View the original article from The Register here.


Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.


A variant of the HDDCryptor malware infected 2,112 computers within the San Francisco Municipal Transportation Agency, the ransomware's masters claimed in email correspondence seen by El Reg.


These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. We told that the worm-like malware automatically attacked the agency's network, and was able to reach the organization's domain controller and compromise network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency's network.


After the vulnerable computers were infected and their storage scrambled, they were rebooted by the malware and, rather than start their operating system, they instead displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601."


HDDCryptor and its cousins encrypt local hard drives and network-shared files using randomly generated keys and then overwrite the hard disks' MBRs, where possible, to prevent systems from booting up properly. A machine is typically infected by an employee accidentally opening a booby-trapped executable in an email or download, and then the infection spreads out across the network.


When the 100-bitcoin ransom – right now about $73k – is paid, the crooks supposedly hand over a master decryption key to restore the ciphered drives and files. A bitcoin wallet into which the transit agency is expected to pay remains empty.


The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay. The crooks said they will give Muni officials another day or so to get in touch before walking away. They also offered to decrypt one machine for one bitcoin to prove restoration is possible.


"Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 server/PCs [were] infected by software," the ransomware's masterminds claimed in a statement in broken English on Sunday via email. "So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we close this email [account] tomorrow."

You've been hacked ... Message left on a PC screen at a San Francisco Muni kiosk on Saturday (Photo by Colin Heilbut)

Buses and the underground-overground Muni rail system continue to run. The Muni's turnstiles were left open from Friday night, though, allowing people to travel for free. Ticketing systems were halted with "out of service" messages in the wake of the infection.


"There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact," the transit agency's spokesman Paul Rose said on Saturday. "Because this is an ongoing investigation it would not be appropriate to provide additional details at this point."


San Francisco's public transit system joins the ranks of hospitals, businesses, police stations and other organizations hit by ransomware. Some cough up cash to the extortionists who spread the file-encrypting software nasties, some don't. Meanwhile, Cisco-owned Talos has an open-source tool for protecting MBRs from ransomware and other malware. ®

Computer Virus Forces Hospitals to Cancel Operations

A computer virus has forced three hospitals offline and caused the cancellation of all routine operations and outpatient appointments.

The hospital says the "major incident" means patients should avoid visiting if possible.

Image: ZDNet

View the original article from ZDNet here.


The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus.


"A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive, according to the BBC.

The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack.

As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been cancelled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.


The NHS Trust hasn't provided specific information about the sort of virus or malware which has infected its systems -- or how it managed to breach any defenses.


The hospital says that from Wednesday appointments in some areas -- audiology psiological measurement, antenatal, community and therapy, chemotherapy, pediatrics, and gynecology -- will be going ahead and it will be contacting patients who are able to be seen.


Northern Lincolnshire and Goole NHS Foundation Trust says it is reviewing the situation on an hourly basis and offers its apologies to patients who are being affected.