*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.

Another cyberattack targets the San Fran Transport Agency.


Normally the 181 Express to San Jose will cost you about $10 and take about 1 hour and 42 mins. But this weekend you could travel for free, thanks to another demonstration of cybercrime—this one reconfirming the dangers of ransomware and its potentially devastating effects when used against public service networks.

In this case, screens that would normally show train departure and arrival times displayed a message informing users they had been hacked, and that MUNI, San Francisco's Municipal Transportation Agency, had one more day to pay the bitcoin ransom equivalent to $73K.

While it’s not yet known who’s responsible for the attack, nor exactly how they did it, numerous reports suggest the hacker used the email address previously linked to the Mamba ransomware strain first seen in September 2016.

A screen at a Muni train station shows the malware message from HDDCryptor. (Click for image source.)

Assuming this attack is linked or similar to Mamba, it’s worth looking at in a little more detail.

Mamba, named after the deadly snake, takes a different approach to encrypting files than other ransomware strains by trying to encrypt the entire drive—not just your data files. This means it’s not just your files but the whole OS, including the master file table, that could get encrypted.

Mamba uses the freeware DiskCryptor software to encrypt your files. It’s highly likely that unaware users are clicking on targeted emails, which download both scripts and the tools to encrypt the drive.

This type of ransomware is perfect for an attack on an organization like MUNI. Why? Unlike other attacks we have seen (like in healthcare), where the encrypted data and personal files are worth big money on the black market, knocking operating systems out at a public transportation agency brings operations to a screaming halt, causing service disruption, revenue loss, and a ransomware fine well worth paying. And what commuters don’t think about while they are enjoying a free ride is that the lost revenue and ransom costs are more than likely going to be recouped through increased commuter costs.

So, in the long run, everyone but the hacker loses out in the aftermath of an attack. That’s why organizations must do more to prevent attacks rather than simply detecting them.

Wherever you are in the world, you probably have organizations, governments, and security authorities providing recommendations on how to protect your organization from threats like Mamba. The FBI, the Australian Signals Directorate, the UK’s National Technical Authority for Information Assurance (CESG), and the SANS institute are just some examples.

These experts all agree that to protect against attack you should:

  • Patch the OS
  • Patch apps (not just Microsoft ones)
  • Remove local administrative privileges from the desktop estate
  • Implement application control or whitelisting to allow only the known good

Endpoint Security Suite 2.0 delivers a unified solution supporting each of these controls. Shavlik Protect provides patch installation and management, and AppSense Application Manager contributes application control and privilege management (with AppSense Insight reporting on users with admin rights).