Computer systems at San Francisco’s transit system, Muni, have been restored following a malware attack on Friday afternoon.
Payment systems across the agency’s subways read “OUT OF ORDER” in large red digital letters at Powell Station, Embarcadero Station and other stations across The City following the attack.
On Friday and Saturday, computers in station agents’ booths across the San Francisco Municipal Transportation Agency displayed “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.”
As of Sunday, some payment systems and station agency computers were visibly in operation at Powell Station and elsewhere. It is unclear how many computer systems Muni-wide are still inoperable, if any.
As of late Sunday, Muni drivers were assigned routes via handwritten notes posted to bulletin boards, as opposed to the usual computer printouts, which was verified by Muni operators on background.
Meanwhile, one person who may have spread the malware which disabled Muni computers said they want $73,000 as ransom in exchange for captured transit agency data, the San Francisco Examiner has learned.
The Examiner contacted the email address displayed on the hacked Muni screens and someone calling themselves “Andy Saolis” responded, and said they spread the malware to Muni.
City transit officials would not confirm the identity of the attacker, and Saolis said transit officials had not yet contacted them.
“We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” Saolis wrote.
SFMTA spokesperson Paul Rose said “there is an ongoing investigation and it wouldn’t be appropriate to provide additional details.”
This form of malware is frequently called “ransomware,” as the targets of the attack see their computers and key data locked from access by a form of computer encryption. According to a public statement from the FBI made in April, these types of attacks are ramping up against public agencies.
“The inability to access the important data these kinds of organizations keep can be catastrophic,” the FBI wrote, in terms of “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.”
It may not be accurate to call the authors of the malware “hackers,” because instead of trying to break into the transit agency’s computers by coding means, they generally “fish” for staffers who inadvertently download the malware either by targeted emails or other means.
This may be exactly what happened, according to Saolis.
It was not a targeted attack, they wrote, and infected an “admin” level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator.
“Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote.
Saolis then said they only accept Bitcoin, an electronic form of currency, and demanded 100 Bitcoin, which is about equivalent to $73,000 U.S. Saolis said no official from SFMTA contacted them.
“Maybe they need learning something in hard-way!” Saolis wrote, via email.
With some Muni computers now operational, it is unclear how much leverage Saolis may have. Saolis told tech media outlet The Verge that they would close off the ransom period on Monday.
SFMTA employees speaking to the Examiner on background said their payment system, which is software by Trapeze Group, was inaccessible over the weekend –– and they fear the personal data of nearly 6,000 employees is at risk.
The SFMTA was unable to verify the payment systems were inaccessible, but Rose said “there has been no impact to transit service or the safety of our systems,” and employees will be paid.
According to the Examiner’s media partner, Hoodline, who also contacted the alleged malware attackers, they are still in control of 2,112 of SFMTA’s 8,656 computer network.
“They don’t care about the data,” said Mike Grover, an IT manager at a San Francisco tech company who also researches tech security.
If the ransom period is closed, he said, “What would happen at that point is the [ransomed] machines would be permanently encrypted.”
It is still unclear how many computer systems at SFMTA remain compromised, and how many have been restored to working order.