Ransomware attack resulted to free train rides over the holiday weekend (Nov 30, 2016)

Over the holiday weekend, the San Francisco Municipal Transportation Agency became a victim to a ransomware attack. It locked up the Muni’s public transportation ticket machines resulting to free rides on trains and city buses. It was reported that the ransomware demanded $73,000 in exchange for giving back Muni’s data but the transporation agency avoided paying the ransom and was able to restore its systems back.

According to reports, the ransomware extortion message was visible at multiple Muni train station booths that said “You Hacked, ALL Data Ecnrypted.” It also gave an email address (cryptom27@yandex.com) which was seen tied to a ransomware family known as HDDCryptor.

Like another ransomware called Petya which we wrote about here, HDDCryptor is another variant the rewrites the computer’s master boot record boot sectors and locks out the victim from their computer.

Infection Cycle:

Upon execution, this Trojan drops the following files in this location:

• %SYSTEMROOT%DC22dcinst.exe – DiskCryptor component (non-malicious)
• %SYSTEMROOT%DC22dcrypt.exe – DiskCryptor component (non-malicious)
• %SYSTEMROOT%DC22dcrypt.sys – DiskCryptor component (non-malicious)
• %SYSTEMROOT%DC22dcapi.dll – DiskCryptor component (non-malicious)
• %SYSTEMROOT%DC22dccon.exe – DiskCryptor component (non-malicious)
• %SYSTEMROOT%DC22 netpass.exe – Network Password Recovery tool (non-malicious)
• %SYSTEMROOT%DC22mount.exe [Detected as GAV: HDDCryptor.MB (Trojan)]

It registers a service named “DefragmentService.” It uses the Network Password Recovery utility from NirSoft to gather all shared drive information and saves that data into a file %SYSTEMROOT%DC22 netpass.txt. It also uses the command “net use” to display all information about the computer’s shared resource and network connections. This data is then saved to %SYSTEMROOT%DC22 netuse.txt. It also adds a new user account with the username “mythbusters” and password “123456” using the “net user” command.

Executing the netpass.exe file individually brings up the UI of this freeware.

It then spawns mount.exe to start hard drive encryption. Mount.exe uses the information in netuse.txt and netpass.txt to enumerate shared drives, mount on the drives and start the encryption.

The ransomware uses the open source encryption tool named DiskCryptor which supports AES, Twofish and Serpent encryption algorithms.

All the activities that this Trojan has executed are logged into a file as it happens – %SYSTEMROOT%DC22log_file.txt.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: HDDCryptor.MB (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.