{"id":13539,"date":"2016-12-01T09:09:21","date_gmt":"2016-12-01T14:09:21","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=13539"},"modified":"2019-11-15T13:46:03","modified_gmt":"2019-11-15T11:46:03","slug":"mamba-hddcryptor-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/mamba-hddcryptor-ransomware\/13539\/","title":{"rendered":"Mamba ransomware allows riders free entry to San Francisco Muni"},"content":{"rendered":"

This past weekend, November 26 and 27, people traveling on the San Francisco Municipal Railway were surprised to find out that they didn\u2019t have to pay<\/a> for their rides. Everyone rode free both days. A socialist dream come true? Nope. The SF Municipal Railway, aka the Muni, lost the ability to sell tickets because it was attacked by ransomware.<\/p>\n

Some media outlets claim<\/a> that the problem manifested a few days earlier, just before Thanksgiving Day, when station ticket machines and schedule monitors started displaying a message saying \u201cYou Hacked\u201d \u2014 as usual, ransomware announced itself with a lot of grammatical mistakes. It seems that the ransomware, called Mamba, which is a variant of HDDCryptor,<\/a> knocked more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA) out of commission.<\/p>\n

Mamba (and HDDLocker; let\u2019s just consider them one and the same for the rest of this post) is a piece of ransomware that encrypts the whole hard drive and changes the master boot record (MBR) to prevent infected computers from loading their operating systems, displaying the malefactors\u2019 message instead.<\/p>\n

The creators of Mamba used open-source utilities as parts of the Trojan, and that, among other things, helped them create a strong algorithm. So there is no known way to get back files encrypted by Mamba without paying the criminals.<\/b><\/p>\n

The Mamba perpetrators urged the SFMTA to contact them at cryptom27@yandex.com<\/i>, and using this e-mail address, a journalist from the San Francisco Examiner<\/i><\/a> was able to talk to the criminals, who introduced themselves as \u201cAndy Saolis.\u201d As Saolis\u2019 story went, the attack on Muni was not a targeted one; the system got infected simply because someone with admin privileges downloaded an infected torrent file.<\/p>\n

Saolis also told the Examiner<\/i> that the SFMTA had to pay them 100 bitcoins (about $73,000) to get its computers back in operation. But it seems the SFMTA was able to deal with the problem without paying ransom; later on Sunday, the ticket machines were functioning again.<\/p>\n

Kaspersky Lab\u2019s antimalware researchers are keeping close track of the threat actor responsible for the attack. It seems that Mamba is typically used to attack businesses and organizations: The Muni attack is not the first notch on Mamba\u2019s belt \u2014 and actually, 100 bitcoins is a rather small sum by these criminals\u2019 standards. Usually they demand much more.<\/p>\n

So, Mamba seems like a really nasty threat. What can you do protect yourself and your organization from it?<\/p>\n

1. The SFMTA was able to get Muni up and running relatively quickly because it had backups. It\u2019s worth mentioning that these backups were not on network shares; otherwise, Mamba would\u2019ve encrypted them as well.<\/p>\n

The lesson here: Be like the SFMTA and back up your data regularly. Keep the backups either in the cloud or on external hard drives, not on your computer or network-attached devices.<\/p>\n

2. Be even smarter than the SFMTA and avoid getting infected by Mamba, or any other ransomwware, at all. Instead, use a good security solution. Kaspersky Plus<\/a> detects Mamba (and HDDCryptor, and others like them) as HEUR:Trojan.Win32.Generic and doesn\u2019t give them a chance to encrypt anything.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Ransomware infects 2,000 SFMTA computers, makes Muni rides free for the weekend.<\/p>\n","protected":false},"author":696,"featured_media":13540,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2670],"tags":[1887,1886,420,1888,422],"class_list":{"0":"post-13539","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-hddcryptor","10":"tag-mamba","11":"tag-ransomware","12":"tag-san-francisco","13":"tag-threats"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mamba-hddcryptor-ransomware\/13539\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/10519\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/mamba-hddcryptor-ransomware\/8034\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/8050\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/mamba-hddcryptor-ransomware\/9620\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/mamba-hddcryptor-ransomware\/9424\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/mamba-hddcryptor-ransomware\/13663\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/mamba-hddcryptor-ransomware\/2691\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mamba-hddcryptor-ransomware\/13539\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/mamba-hddcryptor-ransomware\/6375\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/mamba-hddcryptor-ransomware\/6770\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/mamba-hddcryptor-ransomware\/5778\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/mamba-hddcryptor-ransomware\/9302\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mamba-hddcryptor-ransomware\/13344\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/mamba-hddcryptor-ransomware\/13663\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mamba-hddcryptor-ransomware\/13539\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/ransomware\/","name":"Ransomware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/13539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=13539"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/13539\/revisions"}],"predecessor-version":[{"id":24211,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/13539\/revisions\/24211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/13540"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=13539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=13539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=13539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}