Muni's fare payment system read "Out of Order" Saturday. (Joe Fitzgerald Rodriguez/S.F. Examiner)

Alleged Muni ‘hacker’ demands $73,000 ransom, some computers in stations restored

Computer systems at San Francisco’s transit system, Muni, have been restored following a malware attack on Friday afternoon.

Payment systems across the agency’s subways read “OUT OF ORDER” in large red digital letters at Powell Station, Embarcadero Station and other stations across The City following the attack.

On Friday and Saturday, computers in station agents’ booths across the San Francisco Municipal Transportation Agency displayed “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

UPDATE: Muni guarantees customer data not at risk as hacker sends new threat

As of Sunday, some payment systems and station agency computers were visibly in operation at Powell Station and elsewhere. It is unclear how many computer systems Muni-wide are still inoperable, if any.

As of late Sunday, Muni drivers were assigned routes via handwritten notes posted to bulletin boards, as opposed to the usual computer printouts, which was verified by Muni operators on background.

Meanwhile, one person who may have spread the malware which disabled Muni computers said they want $73,000 as ransom in exchange for captured transit agency data, the San Francisco Examiner has learned.

The Examiner contacted the email address displayed on the hacked Muni screens and someone calling themselves “Andy Saolis” responded, and said they spread the malware to Muni.

City transit officials would not confirm the identity of the attacker, and Saolis said transit officials had not yet contacted them.

“We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” Saolis wrote.

SFMTA spokesperson Paul Rose said “there is an ongoing investigation and it wouldn’t be appropriate to provide additional details.”

This form of malware is frequently called “ransomware,” as the targets of the attack see their computers and key data locked from access by a form of computer encryption. According to a public statement from the FBI made in April, these types of attacks are ramping up against public agencies.

“The inability to access the important data these kinds of organizations keep can be catastrophic,” the FBI wrote, in terms of “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.”

It may not be accurate to call the authors of the malware “hackers,” because instead of trying to break into the transit agency’s computers by coding means, they generally “fish” for staffers who inadvertently download the malware either by targeted emails or other means.

This may be exactly what happened, according to Saolis.

It was not a targeted attack, they wrote, and infected an “admin” level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator.

“Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote.

Saolis then said they only accept Bitcoin, an electronic form of currency, and demanded 100 Bitcoin, which is about equivalent to $73,000 U.S. Saolis said no official from SFMTA contacted them.

“Maybe they need learning something in hard-way!” Saolis wrote, via email.

With some Muni computers now operational, it is unclear how much leverage Saolis may have. Saolis told tech media outlet The Verge that they would close off the ransom period on Monday.

SFMTA employees speaking to the Examiner on background said their payment system, which is software by Trapeze Group, was inaccessible over the weekend –– and they fear the personal data of nearly 6,000 employees is at risk.

The SFMTA was unable to verify the payment systems were inaccessible, but Rose said “there has been no impact to transit service or the safety of our systems,” and employees will be paid.

According to the Examiner’s media partner, Hoodline, who also contacted the alleged malware attackers, they are still in control of 2,112 of SFMTA’s 8,656 computer network.

“They don’t care about the data,” said Mike Grover, an IT manager at a San Francisco tech company who also researches tech security.

If the ransom period is closed, he said, “What would happen at that point is the [ransomed] machines would be permanently encrypted.”

It is still unclear how many computer systems at SFMTA remain compromised, and how many have been restored to working order.

SEE RELATED: ‘You Hacked’ appears at Muni stations as fare payment system crashesTransit

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at www.sfexaminer.com/join/

Just Posted

The admissions process at the academically competitive Lowell High School is set to change this year due to coronavirus restritions. (Kevin N. Hume/S.F. Examiner)
Lowell’s selective admissions process put on hold this year — and more changes may be in the works

School board votes unanimously to use normal student assignment lottery for competitive school

Diners sit outside Caffe Greco in North Beach on Monday, June 15, 2020. (Kevin N. Hume/S.F. Examiner)
SF becomes first Bay Area County to move to least restrictive COVID-19 category

Change to ‘yellow’ will allow more indoor dining and fitness, reopening non-essential offices

City officials want to install more red light cameras but the process is costly and time consuming. (Shutterstock)
Transit officials push for more red light cameras

SFMTA says ‘capital crunch’ and dragging timelines make expanding the program cumbersome

Police release an image a cracked windshield on a Prius that Cesar Vargas allegedly tried to carjack. Vargas, who was shot by police a short time later, can be seen in videos jumping on the windshield and pushing a Muni passenger who disembarked from a bus. (Courtesy SFPD
SFPD releases videos of deadly police shooting

Cesar Vargas killed after reports of carjacking with knife

Organizers of the San Francisco International Arts Festival had planned to use parts of Fort Mason including the Parade Ground, Eucalyptus Grove and Black Point Battery to host performances by about a dozen Bay Area arts groups. (Kevin N. Hume/S.F. Examiner)
Arts festival sues city over permit denial

Organizer says outdoor performances should be treated like demonstrations, religious gatherings

Most Read