Most ransomware deployers manage to stay unidentified because they exercise good OPSEC backed by The Onion Router and Bitcoin. The case of the cybercrook who compromised the computer network of the San Francisco Municipal Transportation Agency (Muni) last Friday turned out to be the exception rather than the rule. According to Brian Krebs, a well-known investigative reporter, a security researcher who wished to remain anonymous was able to hack the attacker’s email account email@example.com and thus obtained some interesting details of the nefarious business model.
Interestingly, the unnamed white hat hacker took advantage of the threat actor’s flagrant email insecurity to own him. He simply guessed the answer to the bad guy’s secret question, which allowed him to reset the password and thus authenticate successfully. Moreover, Mr. Krebs’ source discovered that a reserve email address, firstname.lastname@example.org, was secured by the same secret question and an identical answer. Obviously, the malefactor’s online hygiene leaves a lot to be desired.
The information uncovered via this benign breach turned out quite useful for the investigation of the entire HDDCryptor, or Mamba, ransomware campaign. According to the revealed details, Muni wasn’t the only victim of the pseudonymous criminal calling himself “Andy Saolis”. Just one week earlier, the crook had succeeded in ripping off a U.S. manufacturing company that was forced to cough up 63 Bitcoins, which is about $47,000.
Furthermore, based on the analysis of multiple Bitcoin wallets used by the attacker, his ransom earnings since August 2016 amounted to more than $140,000. Some of the compromised organizations were able to negotiate a lower ransom. The culprit mainly focused on hitting large manufacturing and construction firms based in the United States, including China Construction of America Inc., CDM Smith Inc., Irwin & Leighton and quite a few more.
Did the attacker specifically zero in on the San Francisco Muni? No. It was simply one of the objects on a much bigger attack surface. An insight into the servers involved in these cyber assaults reveals that the offenders leveraged open-source tools to spot enterprise networks with unpatched vulnerabilities. The most heavily used security loophole was the so-called ‘weblogic unserialize exploit’ in server products by Oracle. The software installed on the Muni network, apparently, had a vulnerability exploitable by the criminals’ toolset.
The obtained server logs also shed some light on the attacker’s location and persona. The campaign was mostly administered from Internet addresses in Iran. The malicious server also contains user account names that may facilitate the attribution process. In particular, a few of these names include Mokhi and Alireza. The latter is presumably a modified spelling variant of Ali Reza, a very widespread name in the Middle East in general and Iran in particular.
Another revealed detail, though, adds some confusion to the mix. A contact phone number, +78234512271, which is tied to one of the hosting accounts, is within the number range of a Russian mobile operator. This geo-discrepancy is probably a distraction maneuver, experts argue.
For the record, the HDDCryptor ransomware compromise rendered the San Francisco Municipal Transportation Agency’s computerized faring service inoperable last weekend. The infection encrypted Master Boot Records of thousands of machines on the Muni network. The ticket kiosks displayed “Out Of Service” messages to passengers who could get free rides for several days. The attack also affected the company’s email servers and databases. The threat actor at email@example.com demanded 100 Bitcoins (about $74,000) for recovery. As of today, Muni’s IT team is struggling to restore data from backup and get the systems up and running without submitting the ransom.