It was a transportation system ransomware attack.
The San Francisco Municipal Railway (MUNI) suffered a hack attack last Friday afternoon that ended up providing free rides to all passengers, with the gates remaining open until late Saturday.
The hacker who compromised the system left a message asking for a ransom should the San Francisco authorities want to restore the service.
The screens at MUNI stations displayed a message reading “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681, Enter,” while machines were printing tickets with short messages such as “Out of Service” and “Metro Free.”
After contacting the hacker, the San Francisco Examiner confirmed he was looking for a deal with the MUNI in order to restore the metro services.
“We don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!” the hacker was quoted as saying.
While the payment system suffered from the hack, MUNI officials said the transportation service did not feel the impact in any way and the gates were intentionally open “to minimize customer impact.”
“Because this is an ongoing investigation it would not be appropriate to provide additional details at this point,” MUNI spokesperson Paul Rose said.
In another email, the hacker who calls himself “Andy Saolis” demanded 100 Bitcoin ($73,000) to remove the malware.
“Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote. “Maybe they need learning something in hard-way!”
In response to what it would it take to accomplish this, Amichai Shulman, CTO of security provider Imperva said, “the answer is very simple, generic and will hold true forever — it takes an organization that uses computers and hires people.
“Ransomware is delivered in various forms of email messages, either containing infected files or linking to infected pages, or files. These email messages are delivered through massive phishing campaigns to millions of individuals, some of which will fall prey despite all precautions.
“Our previous research shows that most infections, any type of infection, on end points happen during work hours, hence it is not uncommon to see an enterprise end station hit by ransomware. The most important thing to notice in such incidents – clearly demonstrated in this case – is that while ransomware in home machines usually affect data (which can be recovered through paying the ransom), in enterprise machines, ransomware usually incurs operational damages (in this case – people riding public transportation for free and a disruptive investigation) that cannot be recovered or avoided by paying a ransom.”
Tim Erlin, senior director of IT security and risk strategy for Tripwire said, “Gaining a complete understanding of the extent and root cause of a breach can take a significant amount of time, as we’ve seen in other incidents. Muni is certainly not alone in falling victim to ransomware. The most concerning aspect of this incident is that the ticketing machines were infected. There should be controls in place to segregate networks in such a way that these machines aren’t connected with those that could infect them.”