The hacker who took over San Francisco's Muni got hacked

Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers.


The Muni's many screens displayed messages demanding that the system send bitcoin to cryptom27@yandex.com or never get its data back. This prompted an anonymous hacker to break into the cryptom27@yandex.com email account (by guessing the answer to the hacker's secret questions) and share its content with security journalist Brian Krebs; Krebs's source also broke into a backup account apparently associated with the same ransomware creep, cryptom2016@yandex.com.


The cryptom account was also linked to another (as yet unhacked) email, w889901665@yandex.com, which has been used to demand blackmail money in many other ransomware attacks.

Cryptom's preferred attack method is to scan for vulnerabilities in Oracle products, which they leverage to launch ransomware infections. Some of the companies that Cryptom attacked include China Construction of America Inc (which paid him 24 btc); Irwin & Leighton; CDM Smith Inc; Skillman; and Rudolph Libbe Group.


Cryptom's nationality is hard to pin down; some evidence leads to Russia, but Krebs speculates that these might be deliberate red herrings, and that Cryptom may be in Iran.


According to a review of email messages from the Cryptom27 accounts shared by my source, the attacker routinely offered to help victims secure their systems from other hackers for a small number of extra Bitcoins. In one case, a victim that had just forked over a 20 Bitcoin ransom seemed all too eager to pay more for tips on how to plug the security holes that got him hacked. In return, the hacker pasted a link to a Web server, and urged the victim to install a critical security patch for the company's Java applications.

"Read this and install patch before you connect your server to internet again," the attacker wrote, linking to this advisory that Oracle issued for a security hole that it plugged in November 2015.

In many cases, the extortionist told victims their data would be gone forever if they didn't pay the ransom in 48 hours or less. In other instances, he threatens to increase the ransom demand with each passing day.

San Francisco Rail System Hacker Hacked [Brian Krebs/Krebs on Security]


(via /.)