The San Francisco Municipal Transit Agency (MUNI) was hacked over the weekend, causing an outage to the service’s ticketing system. The cyberattack also impacted the Municipal Transportation Agency’s email system. Reports estimate that 2,112 systems were infected. Muni spokesperson Paul Rose said the hack was discovered on Friday.
Right now, it is believed that an employee of SFMTA with “admin level” access on the agency’s network downloaded a software keycode generator that carried the malicious code. A brief message left by the hackers on Muni ticketing systems read: “You Hacked, ALL Data Encrypted.” Little information about the hack was made publicly available by Muni over the weekend. The full impact of the hack remains unknown.
Instead of shutting down the network, the affected machines were turned off and passengers were allowed to ride for free. “Out of Service” was displayed in red across the top of Muni ticket payment machines. Some also had a note over the screen which read “FREE MUNI.”
Rose said, “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact.” Some were happy to be able to ride for free over the holiday weekend. Some reportedly thought the free rides were part of a Thanksgiving gift or “Black Friday deal.”
The extortionists using the address Cryptom27@yandex.com (shown to have been behind the hack) have a long history in demanding ransom from web users. They infect computer systems with malware, then tell the victims that if they want access to their data, they must pay for an encryption key. The hackers demanded 100 Bitcoin, worth roughly $70,000, to restore the MUNI systems.
Rose said that this hack is the first to Muni’s systems in recent memory. The ransomware attack is reportedly being investigated by law enforcement. Rose declined to give more information, saying, “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”
Some believe that the malware in use was HDDCryptor, which targets the information in drives, folders, files, printers, and serial ports while locking the drive. The malware will infect any computer which downloads and attempts to run it. Different email addresses have been attached to HDDCryptor ransomware messages, so numerous criminals could have access to the malware. It is also possible that one group is using multiple addresses to throw off investigators.
Ransomware hacks have been causing grief across the country. Churches, schools and hospitals have all been targets of ransomware attacks in the past year. MUNI’s systems appear to have been cleaned of infection and the machines are back up and running today. According to reports, it appears that the ransom was not paid.