Hackers Hold SFMTA's Computer Network Hostage For $73K Ransom

Muni turnstiles at Powell Station. (Photo: Brittany Hopkins/Hoodline)
By Kevin Montgomery - Published on November 27, 2016.

Muni passengers were treated to free rides for much of the weekend after a cyber attack on Muni's computer network Friday afternoon left ticketing kiosks inoperable. But the San Francisco Municipal Transit Agency looks poised to lose more than a weekend of fares, Hoodline has learned.

According to the pseudonymous hacker, the agency's computers are being held ransom for more than $73,000 dollars with only one day left to pay—and nearly 25 percent of Muni's network has been compromised.

The severity of the attack still remains unknown to the public. However, documents released by one of the hackers suggest many vital agency functions have been compromised, including payroll, email servers, Quickbooks, NextBus operations, various MySQL database servers, staff training and personal computers for hundreds of employees.

In all, the hackers claim to control 2,112 computers—close to a quarter of SFMTA's 8,656-computer network.

In a statement released by agency spokesperson Paul Rose, “The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point.”

The attack, first reported by the Examiner on Saturday, left kiosks across Muni's downtown stations with a message reading, “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

Unable to process fares, Muni left turnstiles open for passengers to ride freely.

Muni's computers have been hijacked using the HDDCryptor ransomware, which targets Windows machines. Also known as Mamba, the ransomware encrypts hard drives and requires a password to unlock, leaving Muni without access.

Reached at the provided email, the hackers, calling themselves “Andy Saolis,” demanded 100 Bitcoin—the equivalent of more than $73,000—from San Francisco's transit agency:

if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server's HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it's Fast way!

The hackers followed up, writing, “say to company owner we are waiting one more day for deal and after it this email closing for security reason!” In another email, they declared, “we only encrypt 2000 important server and PC, another systems don't point to us !”

Andy Saolis—a pseudonym commonly used in HDDCryptor ransom attacks—also provided a list of all 2,112 machines under their control, as well as a Bitcoin wallet to which the ransom could be paid. So far, no transfers have been posted to that wallet, but it is likely the hackers provided different wallets to each email contact to avoid being easily tracked.

SFMTA's backup servers did not appear to be among the thousands of impacted machines, which could allow the agency to avoid paying the ransom and restore their computers from previous copies of their system data. However, depending on how old the backups are, they still could risk losing critical information.

Ticketing machines at Civic Center station were running normally Sunday morning.

Mike Grover, a Bay Area security researcher who aided Hoodline in investigating this story, says there are a few ways the hackers could have taken over Muni's system. “My gut says they found a way to get inside before spreading the ransomware, through their domain controller or an administrator's machine, and then leverage that to then use the administrator's access to infect the rest of the network.”

Grover suggests the hackers could have used an email phishing scam to steal an agency IT administrator's password, thus giving the attackers direct access to Muni's servers to deploy the ransomware.

The impact of the hack could go beyond paying a ransom. According to KPIX 5, an SFMTA source claims “workers are not sure if they will get paid this week.” The agency also stands to loses approximately $559,000 per day they are unable to collect fares, according to annual fare revenues disclosed in their adopted operating budget for this year.

Fortunately, fare machines were back online as of this morning. But the MTA is remaining quiet as to how they got the system back up—and if the rest of their network is still under the hackers' control.

Nov 23, 2020
San Francisco Castro Duboce Triangle

Castro Muni station elevator project delayed, Harvey Milk Plaza redesign slowly moves forward

Hoodline has learned that the construction of a new glass elevator at Castro Muni station and Harvey Milk Plaza (Market and Castro Streets) has been delayed until fall 2021. Read More

Nov 20, 2020
San Francisco

SF is hiring artists and performs to do COVID-19 PSAs

Work will be slightly less scarce for 30 underemployed artists and performers in the coronavirus economy, as a new San Francisco Creative Corps will be giving the gift of gigs. Read More

Nov 20, 2020
San Francisco Mission

Mozzeria, the Mission's Deaf-owned pizzeria, has closed after nine years

The Bay Area has lost its only Deaf-owned and operated restaurant, Mozzeria (3228 16th St.), due to the ongoing pandemic downturn. Deaf owners Melody and Russ Stein say they will continue operating their food truck, but the time has come to give up the brick-and-mortar restaurant in the Mission. Read More

Nov 20, 2020
San Francisco Castro Mission

Notorious Castro drug den sells for $4.8 million after complete renovation

After undergoing a complete renovation, a notorious Castro neighborhood building at 517-519 Sanchez Street (near 18th Street) has sold for $4.8 million. Read More