A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

A Muni rider purchases a ticket at the Powell Street station (Jessica Christian/S.F. Examiner)

SFMTA denies claim that computer system attack has been ongoing

The malicious software that disabled more than 2,000 Muni computer systems may have spread for two weeks, though the agency denies the attack has lasted that long.

SEE RELATED: Muni guarantees customer data not at risk as hacker sends new threat

Eric Psalmond, a local software engineer who studies IT security, told the San Francisco Examiner he saw the “You Hacked” message on a computer screen in a station agent’s booth at the Civic Center station on Nov. 13.

“I’m a software developer,” Psalmond said. “I recognized it immediately for being a crypto attack.”

SEE RELATED: Alleged Muni ‘hacker’ demands $73,000 ransom, some computers in stations restored

San Francisco transit officials, however, said Muni computer systems were compromised late Friday after a San Francisco Municipal Transportation Agency employee apparently downloaded “ransomware,” a form of malware that allows an attacker to lock up a victim’s computers and demand a ransom to release them for use.

SEE RELATED: ‘You Hacked’ appears at Muni stations as fare payment system crashes

SFMTA spokesperson Paul Rose said it was “not true” that the malware attack ramped up for weeks, and said the attack only started late Friday and lasted until early Sunday.

The alleged attacker who took over Muni’s computer systems has demanded $73,000 in ransom for stolen city data.

But digital security professionals who spoke with the Examiner on background said a two-week ramp-up period prior to ransomware deployment is “very possible.”

“Once the attacker has a foothold in the environment, they will perform reconnaissance to understand the layout victim’s systems,” said Jason Rebholz, director of professional services at the cyber attack response firm The Crypsis Group.

That “reconnaissance” may allow an attacker to deploy that ransomware broadly throughout a computer network, according to Rebholz.

Meanwhile, FBI spokesperson Prentice Danner said the FBI “is aware of the intrusion and in contact with Muni officials.”

Rose said the SFMTA is also in communication with the Department of Homeland Security.

Earlier this year, the FBI released a statement saying ransomware-style attacks have been on the rise.

“Personal information of Muni customers were not compromised as part of this incident,” Rose said Monday.

“We’ve never considered paying the ransom,” Rose added, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”

The entire message across Muni computers on Friday and through the weekend read, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

Lisa Walton, SFMTA’s chief technology officer, wrote an email to all of the agency’s nearly 6,000 employees late Sunday night regarding the attack.

When employees arrive at their workstations and their laptop or desktop is powered off, she wrote, if “you do not see a label that indicates ‘CLEAN’ DO NOT turn it on” until clearance is given.

Walton wrote that a “dedicated group” of staff worked over the weekend to ensure security of the SFMTA’s computer network.

Despite Rose’s guarantee of customer safeguards, the alleged malware attacker — known only by a common ransomware pseudonym, “Andy Saolis” — issued a new threat to Muni through various news agencies, claiming customer data was compromised on Monday.

“But if ugly hacker’s attack to Operational Railways System’s, what happen to You?” the alleged attacker wrote. “Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World!”

The alleged attacker wrote they gained access through a Windows 2000 PC server at the SFMTA, including “all payment kiosk and internal automation and Email,” and threatened to release 30 gigabytes worth of contracts, employee data, customer data and more.

The SFMTA’s deadline to pay the ransom is Friday, according to the alleged attacker, though previously the deadline was Monday.

The computer takeover is not an attempt to gain control of computer-run train operations, according to the alleged attacker.

The alleged attacker sent the Examiner and other news outlets a list of about 2,000 computers — out of the SFMTA’s estimated 8,000 computer systems — that they now control, which may give some indication of the data that the attackers have at their fingertips.

Among them were a computer belonging to Kate Toran, head of SFMTA taxi services; Muni “CCTVS,” which may stand for Closed Circuit TV (a surveillance system); Muni HR-DMV; and a computer named “DATSERVICES.”

Another computer, MUNIFLYNN, may contain data from Muni’s Flynn Division, which is a bus yard.

Rose said he had not seen the list of computers.

“Our firewalls were never penetrated,” Rose said reiterating that the SFMTA would not pay the ransom.Transit

Just Posted

Dominion Voting Systems, a Denver-based vendor, is under contract to supply voting machines for elections in San Francisco. (Kevin N. Hume/Examiner file)
Is San Francisco’s elections director impeding voting machine progress?

Open source technology could break up existing monopoly

The 49ers take on the Packers in Week 3 of the NFL season, before heading into a tough stretch of divisional opponents. (Courtesy San Francisco 49ers)
‘Good for Ball’ or ‘Bad for Ball’ — A Niners analysis

By Mychael Urban Special to The Examiner What’s the first thing that… Continue reading

Health experts praised Salesforce for keeping its Dreamforce conference at Moscone Center outdoors and on a small scale. (Kevin N. Hume/The Examiner)
Happy birthday, Marc Benioff. Your company did the right thing

Salesforce kept Dreamforce small, which made all kinds of sense

Former San Francisco Mayor Willie Brown, pictured with Rose Pak in 2014, says the late Chinatown activist was “helping to guide the community away from the divisions, politically.”
Willie and Rose: How an alliance for the ages shaped SF

How the Mayor and Chinatown activist shaped San Francisco, then and now

The Grove in Golden Gate Park is maintained largely by those who remember San Francisco’s 20,000 AIDS victims.<ins> (Open Eye Pictures/New York Times)</ins>
Looking at COVID through the SF prism of AIDS

AIDS took 40 years to claim 700,000 lives. COVID surpassed that number in 21 months

Most Read