The San Francisco Municipal Transportation Agency was hacked last weekend by someone who calls himself “Andy Saolis” and who managed to infect systems with ransomware.
Due to the infection, all passengers received free rides on the metro, and the hacker asked for a 100 Bitcoin ($73,000) ransom in order to remove the malware, also threatening to leak 30 GB of files containing information of customers, contracts, and employees.
And yet, it appears that Andy Saolis wasn’t as vigilant as you’d normally expect a hacker to be, as a security researcher managed to break into his email address and discover details that could really be helpful during the investigation.
KrebsOnSecurity reports that the security researcher who wanted to remain anonymous accessed the hacker’s email address (which himself made public after the attack of the ransom) by simply guessing the answer to his secret question. The password was then reset to take full control of the account, the source writes.
A message left in the sent folder shows that the hacker indeed contacted MUNI officials on November 25 to report the breach and ask for a ransom. The message was the following:
“if You are Responsible in MUNI-RAILWAY ! All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit! We have 2000 Decryption Key ! Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!”
And it appears that this wasn’t the first time he managed to infect systems with ransomware, as evidence of other breaches was also found in his email account. At least $140,000 Bitcoin was obtained from various organisations in the previous months and there’s a good chance that other unknown breaches occurred as well, as the hacker reportedly linked his email account to another email at Yandex.
It goes without saying that the account can be used by investigators to find out who the hacker actually is, and KrebsOnSecurity notes that some connections with hosting providers have also been discovered. Passwords for some hosting accounts were stored in plain text in emails, and accessing those servers was also possible.
In the meantime, MUNI claims it has already removed the malware from its systems and said that no data was compromised, despite hackers’ claims that 30 GB of files were stolen.