On the 26th of November, the San Francisco Examiner reported the San Francisco Municipal Transportation Agency (SFMTA) was hacked. Infected computers at Muni stations were reportedly downed by HDDCryptor ransomware, whose masters attempted to extort the station for bitcoin. As a result, passengers got a free ride throughout the weekend as the agency was forced to open up the gates, since they were unable to process fare payments.
Muni ticket machines, kiosks, employee laptops, email and printed services, payroll systems and SQL databases were compromised according to The Register. Out of a total of 8.656 PCs and Macs on the agency’s network, a total of 2,112 were compromised by the attack.
Typically, a machine is infected with HDDCryptor ransomware whenever an employee accidentally opens a trapped executable, that can come in an email or a download. It took one infection for the ransomware to spread throughout the network.
SFMTA’s computers showed a black screen with the message:
You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.
Paul Rose, n SFMTA spokesperson said: “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact”
According to an n update by the Examiner, Muni drivers were assigned routes via handwritten notes posted on bulletin boards, as they didn’t have access to their computers. The attacker was identified as “Andy Saolis”, who said he had not yet been contacted by officials.
A 100 bitcoin ransom
The Verge, however, did contact Saolis. Reportedly, whenever the email in the message was contacted, the following message would come as a reply:
If You are Responsible in MUNI-RAILWAY ! All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit! We have 2000 Decryption Key ! Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!! We Only Accept Bitcoin , it’s So easy! you can use Brokers to exchange your money to BTC ASAP it’s Fast way!
The Verge got past that reply and managed to contact Saolis, who claimed the software was “working completely automatically”, and that it wasn’t a targeted attack. SFMTA’s computers were compromised because they were vulnerable. 100 bitcoins are worth roughly $73.000.
The hacker claimed if he didn’t get contacted, he would shut down the email today. This would let SFMTA’s network down for an undetermined period of time.
No reports state Saolis got paid or even contacted by SFTMA. The agency’s employees, however, may also not get paid as the system was compromised by the ransomware. Per the company’s operating budget, daily losses are of approximately $559.000.
According to reports, fare machines are now back online, but it is still unknown how the system got back up. The rest of the network is still under hacker control.
Image of San Francisco cable car from Shutterstock.