San Francisco’s public transport agency suffered a crippling malware attack on Friday evening, as criminal hackers held the locked up system to a ransom of 100 bitcoins on Thanksgiving weekend.
Passengers were allowed to ride the rail system for free as over 2,100 different computers were affected within the Municipal Transportation Agency’s colossal network including ticket kiosks, office desktop computers, email servers and SQL databases.
According to passengers, screens briefly displayed a message from the hackers behind the infection: “You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601.”
Apparently the SF Muni fell victim to ransomware last night #sanfrancisco #infosec pic.twitter.com/E1OVQpAAzY
— Colin Hellbut (@ColinHeilbut) November 26, 2016
.@sfmta_muni giving free rides today because hackers shut down the computer system. Employee computers showing this pic.twitter.com/fvVnUayWVG
— CBS News Bay Area (@KPIXtv) November 27, 2016
The lethal malware, which was a variant of a known strain called HDDCryptor, usually hits the system when a email or attachment hosting it is opened or downloaded. From there the malware virus gets to work, quickly encrypting hard drives and essential network files by generating random encryption keys. Newer versions of this malware also scramble the hard drive’s master boot record (MBR) locking the system hostage.
The extortionists behind the attack in San Francisco over the weekend demanded the equivalent of $73,000 be paid in bitcoins before they would free the network. The Yandex email address the hackers made appear on screen has been used in previous malware attacks. It offers each victim a personal ID through which to contact the malware gang.
Yandex is a Russian email provider, and journalists at the Verge who contacted the address reported that they had received the following response in broken English from those claiming responsibility:
“we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”
In a public statement to the press, the Municipal Transport Agency’s [SFMTA] spokesperson Paul Rose explained, “We are focused now on working to investigate the matter fully to find out all other details … [A]t this point there is no impact to transit service, to our security systems or to our customers’ private information.”
According to news-site Hoodline, some ticket kiosks were back up and running by Sunday morning. In a statement, the SFMTA said, “The situation is now contained, and we have prioritized restoring our systems to be fully operational. ”
The SFMTA has made no statements as to how this was achieved or whether officials had given in by simply paying the ransom. The downed network reportedly cost the city over $500,000 per day in uncollected fares.