The malicious software that disabled more than 2,000 Muni computer systems may have spread for two weeks, though the agency denies the attack has lasted that long.
Eric Psalmond, a local software engineer who studies IT security, told the San Francisco Examiner he saw the “You Hacked” message on a computer screen in a station agent’s booth at the Civic Center station on Nov. 13.
“I’m a software developer,” Psalmond said. “I recognized it immediately for being a crypto attack.”
San Francisco transit officials, however, said Muni computer systems were compromised late Friday after a San Francisco Municipal Transportation Agency employee apparently downloaded “ransomware,” a form of malware that allows an attacker to lock up a victim’s computers and demand a ransom to release them for use.
SFMTA spokesperson Paul Rose said it was “not true” that the malware attack ramped up for weeks, and said the attack only started late Friday and lasted until early Sunday.
The alleged attacker who took over Muni’s computer systems has demanded $73,000 in ransom for stolen city data.
But digital security professionals who spoke with the Examiner on background said a two-week ramp-up period prior to ransomware deployment is “very possible.”
“Once the attacker has a foothold in the environment, they will perform reconnaissance to understand the layout victim’s systems,” said Jason Rebholz, director of professional services at the cyber attack response firm The Crypsis Group.
That “reconnaissance” may allow an attacker to deploy that ransomware broadly throughout a computer network, according to Rebholz.
Meanwhile, FBI spokesperson Prentice Danner said the FBI “is aware of the intrusion and in contact with Muni officials.”
Rose said the SFMTA is also in communication with the Department of Homeland Security.
Earlier this year, the FBI released a statement saying ransomware-style attacks have been on the rise.
“Personal information of Muni customers were not compromised as part of this incident,” Rose said Monday.
“We’ve never considered paying the ransom,” Rose added, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”
The entire message across Muni computers on Friday and through the weekend read, “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.”
Lisa Walton, SFMTA’s chief technology officer, wrote an email to all of the agency’s nearly 6,000 employees late Sunday night regarding the attack.
When employees arrive at their workstations and their laptop or desktop is powered off, she wrote, if “you do not see a label that indicates ‘CLEAN’ DO NOT turn it on” until clearance is given.
Walton wrote that a “dedicated group” of staff worked over the weekend to ensure security of the SFMTA’s computer network.
Despite Rose’s guarantee of customer safeguards, the alleged malware attacker — known only by a common ransomware pseudonym, “Andy Saolis” — issued a new threat to Muni through various news agencies, claiming customer data was compromised on Monday.
“But if ugly hacker’s attack to Operational Railways System’s, what happen to You?” the alleged attacker wrote. “Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World!”
The alleged attacker wrote they gained access through a Windows 2000 PC server at the SFMTA, including “all payment kiosk and internal automation and Email,” and threatened to release 30 gigabytes worth of contracts, employee data, customer data and more.
The SFMTA’s deadline to pay the ransom is Friday, according to the alleged attacker, though previously the deadline was Monday.
The computer takeover is not an attempt to gain control of computer-run train operations, according to the alleged attacker.
The alleged attacker sent the Examiner and other news outlets a list of about 2,000 computers — out of the SFMTA’s estimated 8,000 computer systems — that they now control, which may give some indication of the data that the attackers have at their fingertips.
Among them were a computer belonging to Kate Toran, head of SFMTA taxi services; Muni “CCTVS,” which may stand for Closed Circuit TV (a surveillance system); Muni HR-DMV; and a computer named “DATSERVICES.”
Another computer, MUNIFLYNN, may contain data from Muni’s Flynn Division, which is a bus yard.
Rose said he had not seen the list of computers.
“Our firewalls were never penetrated,” Rose said reiterating that the SFMTA would not pay the ransom.