Last Friday San Francisco's busy subway services were attacked which allowed customers to jump on the trains for free following the busy post-Thanksgiving deals. It has now emerged that hackers hijacked San Francisco's Municipal Transportation Agency (SFMTA) also known as MUNI by shutting down work stations, ticket machines and computers. The criminals attacked the organisation's domain controller and network-attached Windows systems. There are roughly 8,500 computers, Macs and other boxes on the agency's network. 2,112 infected computers displayed a message which read: “You Hacked, ALL Data Encrypted. Contact For key(email@example.com)ID:681 ,Enter”. This is not all; the cyber attackers demand a 100 bitcoin ransom which stands at about $73,000 before they agree to unlock the systems and restore MUNI's services. Over the weekend as a precautionary measure, staff closed all ticketing machines on the network. Despite this interuption, trains ran as normal and a comprehensive investigation is now underway. On Sunday, ticketing machines were enabled but it is unclear if the hacking has been contained.
MUNI have been told by hackers that they have one more day to pay the ransom fee. As it stands, nearly 25% of the subway's network has already been compromised. The severity of the attack is still unknown but online documents such as payroll, email server, Quickbooks MySQL database servers, staff training and many employee’s personal computers may have been corrupted. MUNI’s software has been hijacked by a system using a HDDCryptor ransomware which targets Windows machines. Also known as Mamba, the ransomware encodes hard drives and requires a password to unlock, leaving MUNI without access. The hackers which identify themselves as “Andy Saolis” a pseudonym commonly associated with HDDCryptor ransom attacks also provided a list of all 2,112 machines under their control, as well as a Bitcoin wallet where the ransom money could be paid into. So far, the heads of the agency have made no steps to pay into the Bitcoin, but it is likely the hackers provided different wallets to each email contact to avoid being tracked.
The target machine is commonly infected by accidentally opening a virus in an email or download, this allows the malware to intercept the entire network. The email address, firstname.lastname@example.org, used by an anonymous criminal suggests that it is a Russian email address. This address has been established to arrange payment, plus it has been linked to other cyber attacks as well.
The loss of revenue from the busy weekend has meant that the transit agency has been robbed of $559,000 each day because they were unable to collect fares.
MUNI Spokesman Paul Rose as reported by The Register said his agency was investigating the matter and "working to resolve the situation," but did not provide details as of how MUNI got hacked. "We are currently working to resolve the situation. There is an ongoing investigation, and it wouldn’t be appropriate to provide additional details at this point." MUNI were finally able to take customer’s payments yesterday morning.
On Sunday the ransom hackers sent an email in broken English stating: "Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 server/PCs [were] infected by software. So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we close this email [account] tomorrow."
As far as MUNI can tell, San Francisco Municipal Transit Agency's backup servers were not effected by the hacking which could provide a solution which would allow the agency to avoid paying the ransom and restore the infected computers. However, this is all dependent on how old the backups are and if the hackers haven’t already found a way to decode this too. Such critical information could still be in danger. Until then, or until the hackers have been located, the MTA system is still held under control by Andy Saolis - the cyber hackers.
Attend our next SmartRail Europe event!
For similar stories you might be interested in: