Muni Hacked With “All Data Encrypted” Message, Hackers Demand ‘$73,000’ In Ransom
The San Francisco Municipal Transit Agency (SFMTA) computers got hacked last weekend resulting in Muni free rides for passengers. However, it has been now reported that computer systems at San Francisco’s transit system, Muni, have been restored following a malware attack on Friday afternoon.
Following the attack, payment systems across the agency’s subways read “OUT OF ORDER” in large red digital letters at Powell Station, Embarcadero Station and other stations across The City.
Passengers were not able to purchase transit tickets as a result of the malfunction. The fare machines at all the stations on Friday and Saturday displayed the message, “You Hacked, ALL Data Encrypted. Contact For Key(email@example.com)ID:681 ,Enter,” according to SFMTA spokesman Paul Rose. The transit authorities opened fare gates on Saturday to “minimize customer impact,” as they were unable to charge the passengers for fare.
On Sunday morning, Muni officials said fare gates and machines were operating again at Powell station and elsewhere. However, it is unclear how many computer systems at SFMTA remain compromised, and how many have been restored to working order.
As of late Sunday, as opposed to the usual computer printouts, Muni drivers were assigned routes via handwritten notes posted to bulletin boards, which was verified by Muni operators on background.
The attack itself was a ransomware scheme asking for 100 bitcoins (about $73,000) to unlock more than 2,000 compromised transit system computers, according to The Register:
These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. It appears the malware was able to reach the agency’s domain controller and compromise network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency’s network.
After the vulnerable computers were infected and their storage scrambled, they were rebooted by malware and, rather than start their operating system, they instead displayed the message: “You Hacked, ALL Data Encrypted, Contact For Key (firstname.lastname@example.org) ID:601.”
While the Muni hacker’s intentions are still unknown, The Verge included this email from the hacker: “We don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”
On the other hand, KPIX-TV reports that the computer system had actually been hacked days in advance, but officials declined to provide additional information on the attack, while citing an unnamed transit authority source.
“Because this is an ongoing investigation it would not be appropriate to provide additional details at this point,” told Rose to the station.