Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency (SFMTA).
In this attack, as we’ve seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives. We believe the threat actors behind the attack don’t use exploit kits and automated installers to instantly compromise and infect victims. Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware. While we don’t have specific information on how this was accomplished across SFMTA’s 2,000 machines, it is highly likely that it was through scheduling a job to run on all of the devices using some form of admin credentials.