Muni's fare payment system read "Out of Order" Saturday. (Joe Fitzgerald Rodriguez/S.F. Examiner)

Muni's fare payment system read "Out of Order" Saturday. (Joe Fitzgerald Rodriguez/S.F. Examiner)

Alleged Muni ‘hacker’ demands $73,000 ransom, some computers in stations restored

Computer systems at San Francisco’s transit system, Muni, have been restored following a malware attack on Friday afternoon.

Payment systems across the agency’s subways read “OUT OF ORDER” in large red digital letters at Powell Station, Embarcadero Station and other stations across The City following the attack.

On Friday and Saturday, computers in station agents’ booths across the San Francisco Municipal Transportation Agency displayed “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

UPDATE: Muni guarantees customer data not at risk as hacker sends new threat

As of Sunday, some payment systems and station agency computers were visibly in operation at Powell Station and elsewhere. It is unclear how many computer systems Muni-wide are still inoperable, if any.

As of late Sunday, Muni drivers were assigned routes via handwritten notes posted to bulletin boards, as opposed to the usual computer printouts, which was verified by Muni operators on background.

Meanwhile, one person who may have spread the malware which disabled Muni computers said they want $73,000 as ransom in exchange for captured transit agency data, the San Francisco Examiner has learned.

The Examiner contacted the email address displayed on the hacked Muni screens and someone calling themselves “Andy Saolis” responded, and said they spread the malware to Muni.

City transit officials would not confirm the identity of the attacker, and Saolis said transit officials had not yet contacted them.

“We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” Saolis wrote.

SFMTA spokesperson Paul Rose said “there is an ongoing investigation and it wouldn’t be appropriate to provide additional details.”

This form of malware is frequently called “ransomware,” as the targets of the attack see their computers and key data locked from access by a form of computer encryption. According to a public statement from the FBI made in April, these types of attacks are ramping up against public agencies.

“The inability to access the important data these kinds of organizations keep can be catastrophic,” the FBI wrote, in terms of “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.”

It may not be accurate to call the authors of the malware “hackers,” because instead of trying to break into the transit agency’s computers by coding means, they generally “fish” for staffers who inadvertently download the malware either by targeted emails or other means.

This may be exactly what happened, according to Saolis.

It was not a targeted attack, they wrote, and infected an “admin” level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator.

“Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote.

Saolis then said they only accept Bitcoin, an electronic form of currency, and demanded 100 Bitcoin, which is about equivalent to $73,000 U.S. Saolis said no official from SFMTA contacted them.

“Maybe they need learning something in hard-way!” Saolis wrote, via email.

With some Muni computers now operational, it is unclear how much leverage Saolis may have. Saolis told tech media outlet The Verge that they would close off the ransom period on Monday.

SFMTA employees speaking to the Examiner on background said their payment system, which is software by Trapeze Group, was inaccessible over the weekend –– and they fear the personal data of nearly 6,000 employees is at risk.

The SFMTA was unable to verify the payment systems were inaccessible, but Rose said “there has been no impact to transit service or the safety of our systems,” and employees will be paid.

According to the Examiner’s media partner, Hoodline, who also contacted the alleged malware attackers, they are still in control of 2,112 of SFMTA’s 8,656 computer network.

“They don’t care about the data,” said Mike Grover, an IT manager at a San Francisco tech company who also researches tech security.

If the ransom period is closed, he said, “What would happen at that point is the [ransomed] machines would be permanently encrypted.”

It is still unclear how many computer systems at SFMTA remain compromised, and how many have been restored to working order.

SEE RELATED: ‘You Hacked’ appears at Muni stations as fare payment system crashesTransit

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at www.sfexaminer.com/join/

Just Posted

A San Francisco Unified School District program that gave would-be teachers extra training in the classroom has lost a key partner. <ins>(Kevin N. Hume/2019 S.F. Examiner)</ins>
USF ends partnership with SFUSD in teacher residency program

District launched training effort to improve low retention rates for new hires

The Rev. Norman Fong of the Chinatown Community Development Center joined San Francisco city leaders and community partners in a “Campaign for Solidarity” at Civic Center Plaza on Saturday, Apr 17, 2021. (CraigLee/Special to the S.F. Examiner)
City launches ‘Campaign for Solidarity’ to combat racial violence

Mayor London Breed, the city’s Human Rights Commission and community leaders launched… Continue reading

It’s time to break the code of silence and end the stigmatism against infertility, which is fairly common. <ins>(Shuttterstock)</ins>
Struggles with infertility are common

We all can support friends, ask legislators to mandate appropriate insurance

Foxes, aka Louisa Rose Allen, says she taken back control of her music in recent years. <ins>(Courtesy Hollie Fernando)</ins>
Foxes back with ‘Friends in the Corner’

Pop star doing a lot ‘behind the scenes’ since 2016

Former Stockton Mayor Michael Tubbs spoke to San Francisco’s new Guaranteed Income Advisory Group on April 16. (Courtesy SFGOV)
City launches task force to explore Universal Basic Income programs

San Francisco on Friday launched a guaranteed income task force that could… Continue reading

Most Read