A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.
Through Saturday and into Sunday, passengers were able to ride for free, some thinking it was a Black Friday holiday promotion. The station computers, however, showed the message “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”
SFMTA has so far given little official information, but did say the attack disrupted some internal computer systems, including email.
Spokesperson Paul Rose announced, “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact. Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.” Later, on Sunday, he said, “All fare gates are operational, as of this morning.”
Although the attack only had real public visibility from Saturday, CBS Local commented, “Inside sources say the system has been hacked for days.”
Researchers recognized the email address in the on-screen message and have engaged the person at the other end. This makes it fairly certain that the ransomware used in this attack is a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares. One of the replies from the Yandex account claimed, “All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!” and demanded 100 bitcoins (about $73,000) for the decryption key. At this point it seems as if the attacker wasn’t sure whether he was speaking to SFMTA or not.
Further emails led to the disclosure of the bitcoin wallet address. However, the attacker was soon getting concerned, responding, “we received many email from SFMTA! how are you and what’s your position there?” In a different exchange the attacker is said to have replied, “we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”