{"id":6587,"date":"2016-12-01T01:20:29","date_gmt":"2016-12-01T06:20:29","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=6587"},"modified":"2018-06-09T16:34:50","modified_gmt":"2018-06-09T11:04:50","slug":"mamba-ransomware-allows-riders-free-entry-to-san-francisco-muni","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/mamba-ransomware-allows-riders-free-entry-to-san-francisco-muni\/6587\/","title":{"rendered":"Mamba ransomware allows riders free entry to San Francisco Muni"},"content":{"rendered":"<p>This past weekend, November 26 and 27, people traveling on the San Francisco Municipal Railway were surprised to find out that they <a href=\"https:\/\/www.tripwire.com\/state-of-security\/featured\/ransomware-hits-san-francisco-transport-system-free-rides-for-all-as-73000-demanded\/%2523\" target=\"_blank\" rel=\"noopener nofollow\">didn\u2019t have to pay<\/a> for their rides. Everyone rode free both days. A socialist dream come true? Nope. The SF Municipal Railway, aka the Muni, lost the ability to sell tickets because it was attacked by ransomware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-13540 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2016\/12\/05085941\/muni-ransomware-featured-1.jpg\" alt=\"Mamba ransomware allows riders free entry to San Francisco Muni\" width=\"1280\" height=\"840\"><\/p>\n<p>Some media outlets <a href=\"http:\/\/www.csoonline.com\/article\/3144991\/security\/ransomware-forces-sfmta-to-give-free-rides-73-000-demanded-by-attackers.html\" target=\"_blank\" rel=\"noopener nofollow\">claim<\/a> that the problem manifested a few days earlier, just before Thanksgiving Day, when station ticket machines and schedule monitors started displaying a message saying \u201cYou Hacked\u201d \u2014 as usual, ransomware announced itself with a lot of grammatical mistakes. It seems that the ransomware, called Mamba, which is a variant of <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds\/\" target=\"_blank\" rel=\"noopener nofollow\">HDDCryptor,<\/a>knocked more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA) out of commission.<\/p>\n<p>Mamba (and HDDLocker; let\u2019s just consider them one and the same for the rest of this post) is a piece of ransomware that encrypts the whole hard drive and changes the master boot record (MBR) to prevent infected computers from loading their operating systems, displaying the malefactors\u2019 message instead.<\/p>\n<p>The creators of Mamba used open-source utilities as parts of the Trojan, and that, among other things, helped them create a strong algorithm. So <b>there is no known way to get back files encrypted by Mamba without paying the criminals.<\/b><\/p>\n<p>The Mamba perpetrators urged the SFMTA to contact them at <i>cryptom27@yandex.com<\/i>, and using this e-mail address, a journalist from the <a href=\"http:\/\/www.sfexaminer.com\/alleged-muni-hacker-demands-73000-ransom-computers-stations-restored\/\" target=\"_blank\" rel=\"noopener nofollow\"><i>San Francisco Examiner<\/i><\/a> was able to talk to the criminals, who introduced themselves as \u201cAndy Saolis.\u201d As Saolis\u2019 story went, the attack on Muni was not a targeted one; the system got infected simply because someone with admin privileges downloaded an infected torrent file.<\/p>\n<p>Saolis also told the <i>Examiner<\/i> that the SFMTA had to pay them 100 bitcoins (about $73,000) to get its computers back in operation. But it seems the SFMTA was able to deal with the problem without paying ransom; later on Sunday, the ticket machines were functioning again.<\/p>\n<p>Kaspersky Lab\u2019s antimalware researchers are keeping close track of the threat actor responsible for the attack. It seems that Mamba is typically used to attack businesses and organizations: The Muni attack is not the first notch on Mamba\u2019s belt \u2014 and actually, 100 bitcoins is a rather small sum by these criminals\u2019 standards. Usually they demand much more.<\/p>\n<p>So, Mamba seems like a really nasty threat. What can you do protect yourself and your organization from it?<\/p>\n<p>1. The SFMTA was able to get Muni up and running relatively quickly because it had backups. It\u2019s worth mentioning that these backups were not on network shares; otherwise, Mamba would\u2019ve encrypted them as well.<\/p>\n<p>The lesson here: Be like the SFMTA and back up your data regularly. Keep the backups either in the cloud or on external hard drives, not on your computer or network-attached devices.<\/p>\n<p>2. Be even smarter than the SFMTA and avoid getting infected by Mamba, or any other ransomwware, at all. Instead, use a good security solution. <a href=\"https:\/\/www.kaspersky.co.in\/internet-security?icid=in_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kismd___\" target=\"_blank\" rel=\"noopener\">Kaspersky Internet Security<\/a> detects Mamba (and HDDCryptor, and others like them) as HEUR:Trojan.Win32.Generic and doesn\u2019t give them a chance to encrypt anything.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This past weekend, November 26 and 27, people traveling on the San Francisco Municipal Railway were surprised to find out that they didn\u2019t have to pay for their rides. Everyone<\/p>\n","protected":false},"author":696,"featured_media":6588,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2196],"tags":[1933,1934,443,1935,527],"class_list":{"0":"post-6587","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-hddcryptor","10":"tag-mamba","11":"tag-ransomware","12":"tag-san-francisco","13":"tag-threats"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/mamba-ransomware-allows-riders-free-entry-to-san-francisco-muni\/6587\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/hddcryptor\/","name":"HDDCryptor"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=6587"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6587\/revisions"}],"predecessor-version":[{"id":13502,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/6587\/revisions\/13502"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/6588"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=6587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=6587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=6587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}