A couple of weeks ago, a yet unknown attacker hacked the computer systems of the San Francisco’s Municipal railway causing a free ride for all that Saturday. The ransomware hacker was hacked back, and intrepid reporter Brian Krebs was contacted by the anonymous counter-hacker who took over the email account that was reported in the ransom note provided in the attack: “Contact for key (cryptom27@yandex.com)”
The ransom demanded from the San Francisco Municipal Transportation Agency (SFMTA) was 100 BTC, or $73,184 USD with current exchange rates.
The security researcher who hacked back the Muni hacker broke into the email account by correctly guessing the security question protecting it, and then resetting the password and locking down the account including the secondary address which was cryptom2016@yandex.com.
“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.” wrote Krebs. “A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.”
The analysis of the Bitcoin wallets used by the Muni hacker revealed that he earned $140,000 in the last three months. In this period he used to continuously switch Bitcoin wallets randomly every few days or weeks to thwart investigations. Most of the attempts of extortion targeted US-based construction and manufacturing companies, and in many cases, the victims appear to have complied with the demands.
“On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.” added Krebs. ““Emails from the attacker’s inbox indicate some victims managed to negotiate a lesser ransom. China Construction of America Inc., for example, paid 24 Bitcoins (~$17,500) on Sunday, Nov. 27 to decrypt some 60 servers infected with the same ransomware — after successfully haggling the attacker down from his original demand of 40 Bitcoins. Other construction firms apparently infected by ransomware attacks from this criminal include King of Prussia, Pa. based Irwin & Leighton; CDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe Group, a construction consulting firm based in Walbridge, Ohio.””
The experts discovered that the server was used to hack into systems worldwide, it was hosting several open-source hacking tools, and that the Muni hacker used internet addresses based in Iran, they found also some notes which were translated into Farsi.
What to do about it
Brian Krebs wrote: "The data leaked from this one actor shows how successful and lucrative ransomware attacks can be, and how often victims pay up. For its part, the SFMTA said it never considered paying the ransom."
You need off-site backups that cannot be compromised, but some instances of ransomware can lock cloud-based backups when systems are configured to continuously back up in real-time. For more tips on how to avoid becoming the next ransomware victim, check out the FBI’s most recent advisory on ransomware.
Krebs ended with: "Finally, as I hope this story shows, truthfully answering secret questions is a surefire way to get your online account hacked. Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases — as with United Airlines’s atrocious new password system — answering secret questions is unavoidable. In cases where I’m allowed to type in the answer, I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing."
That is an excellent piece of advice, and part of new-school security awareness training which all users should be stepped through as soon as possible, followed up by frequent simulated phishing attacks. Start with a free Phishing Security Test, and phish your users to see how many click. Often an unpleasant surprise but a great catalyst to get buy-in and fast budget:
Don't like to click on redirected links" Cut & Paste this link in your browser:
