Hackers Hold SFMTA's Computer Network Hostage For $73K Ransom

Hackers Hold SFMTA's Computer Network Hostage For $73K RansomMuni turnstiles at Powell Station. (Photo: Brittany Hopkins/Hoodline)
Kevin Montgomery
Published on November 27, 2016

Muni passengers were treated to free rides for much of the weekend after a cyber attack on Muni's computer network Friday afternoon left ticketing kiosks inoperable. But the San Francisco Municipal Transit Agency looks poised to lose more than a weekend of fares, Hoodline has learned.

According to the pseudonymous hacker, the agency's computers are being held ransom for more than $73,000 dollars with only one day left to pay—and nearly 25 percent of Muni's network has been compromised.

The severity of the attack still remains unknown to the public. However, documents released by one of the hackers suggest many vital agency functions have been compromised, including payroll, email servers, Quickbooks, NextBus operations, various MySQL database servers, staff training and personal computers for hundreds of employees.

In all, the hackers claim to control 2,112 computers—close to a quarter of SFMTA's 8,656-computer network.

In a statement released by agency spokesperson Paul Rose, “The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point.”

The attack, first reported by the Examiner on Saturday, left kiosks across Muni's downtown stations with a message reading, “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

Unable to process fares, Muni left turnstiles open for passengers to ride freely.

Muni's computers have been hijacked using the HDDCryptor ransomware, which targets Windows machines. Also known as Mamba, the ransomware encrypts hard drives and requires a password to unlock, leaving Muni without access.

Reached at the provided email, the hackers, calling themselves “Andy Saolis,” demanded 100 Bitcoin—the equivalent of more than $73,000—from San Francisco's transit agency:

if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server's HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it's Fast way!

The hackers followed up, writing, “say to company owner we are waiting one more day for deal and after it this email closing for security reason!” In another email, they declared, “we only encrypt 2000 important server and PC, another systems don't point to us !”

Andy Saolis—a pseudonym commonly used in HDDCryptor ransom attacks—also provided a list of all 2,112 machines under their control, as well as a Bitcoin wallet to which the ransom could be paid. So far, no transfers have been posted to that wallet, but it is likely the hackers provided different wallets to each email contact to avoid being easily tracked.

SFMTA's backup servers did not appear to be among the thousands of impacted machines, which could allow the agency to avoid paying the ransom and restore their computers from previous copies of their system data. However, depending on how old the backups are, they still could risk losing critical information.

Ticketing machines at Civic Center station were running normally Sunday morning.

Mike Grover, a Bay Area security researcher who aided Hoodline in investigating this story, says there are a few ways the hackers could have taken over Muni's system. “My gut says they found a way to get inside before spreading the ransomware, through their domain controller or an administrator's machine, and then leverage that to then use the administrator's access to infect the rest of the network.”

Grover suggests the hackers could have used an email phishing scam to steal an agency IT administrator's password, thus giving the attackers direct access to Muni's servers to deploy the ransomware.

The impact of the hack could go beyond paying a ransom. According to KPIX 5, an SFMTA source claims “workers are not sure if they will get paid this week.” The agency also stands to loses approximately $559,000 per day they are unable to collect fares, according to annual fare revenues disclosed in their adopted operating budget for this year.

Fortunately, fare machines were back online as of this morning. But the MTA is remaining quiet as to how they got the system back up—and if the rest of their network is still under the hackers' control.