Recently a hacker who attacked San Francisco’s municipal transit system (Muni) had experienced a very disastrous attack when a security researcher reportedly accessed his email inbox. A counter hack has revealed clues about the criminal’s location,identity, and past extortion activities.
According to a security expert who runs “KrebsOnSecurity” Brian Krebs if the emails are to be real then the hacker is a successful ransomware-peddler.
on 25 of the November, Muni systems were targeted initially interrupting internal networks, email services, and roughly 900 computers. Also, some notices were left on the terminals. “You are hacked. Your HDD encrypted. Contact us for the decryption key.” an email: firstname.lastname@example.org was left by the hacker.
The hacker with a fictitious name “Andy Saolis” threatened to release about 30GB of data that is stolen if payment was not provided after issuing a demand of 100 Bitcoin which is about ($73,000, £60,000). It is being sais that the malware which is used in the attack was either HDDCryptor, or “Mamba.”
An email to Cunningham said, “All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted by AES 2048Bit! We have 2000 Decryption Key! Send 100BTC to My Bitcoin Wallet, then We Send you Decryption key For Your All Server’s HDD!!”
All the emails which are hacked showed signs that the hacker is very dangerous and the whole scenery looked like the hacker already did this to many other people. Though the emails were about manufacturing and construction sector. When their Bitcoin wallets were scanned about $140,000 funds were showed roughly.
Kristen Holland, a public relations representative with the SFMTA In a statement issued on 28 November said that the organization had “never considered” about paying the ransom demand and stated that “We have an information technology team in place that can restore our systems, and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running our information technology team anticipates having the remaining computers functional in the next day or two.”