San Francisco’s Municipal Railway, known as Muni, saw its computerized fare systems hacked last week. It turns out that during the hack, there was a ransom demand of 100 bitcoin, equalling around $73,000 (it was not successful).
While Muni trains were never affected, riders on Friday and Saturday got free rides as the message, “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”, appeared on Muni agents computer screens. Ticket machines looked out of order, with “Metro Free” signs placed in front of screens.
While Muni has not released information from their ongoing investigation, a few facts have been gleaned about the basic details of the attack. It appears to be a ransomware attack, equivalent to looking Muni out of its own systems and demanding a payment to get back in. The attacker or attackers used the pseudonym Andy Saolis.
Now, the Yandex account Saolis names in the message has itself been hacked—this time by an anonymous researcher who contacted the cybersecurity site KrebsOnSecurity. The researcher who was able to get into the Yandex account by guessing its password questions, discovered the blackmail email sent to Muni infrastructure manager Sean Cunningham:
“if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!”
HDD is a reference to HDDCryptor, a ransomware variation. According to researchers Stephen Hilt and William Gamazo Sanchez, HDDCryptpor “not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.”
A look through the Saolis Yandex email account reveals that the attackers performed the same ransomware attacks on many private companies, and supposedly shows those companies quietly paying the bitcoin instead of revealing they had been hacked. Looking through the various bitcoin wallets set up by Saolis, it appears the account has collected $140,000 in extortion.
Ransomware attacks became more prevalent in 2016, with hospitals repeatedly bearing the brunt of the bitcoin payments. Cybersecurity experts have called 2016 “the year of ransomware,” saying that over a billion dollars in bitcoin ransom has been paid worldwide. As the number of devices with an Internet connection but lacking proper security only expand, it’s easy to foresee a future in which this gets much worse.
At least the Muni got the better of its attacker this time. While Saolis set up a bitcoin wallet for payment, it appears that Muni has gotten the situation under control and not dropped a single bitcoin inside. Muni has not officially commented on any claims of blackmail.