San Francisco latest victim of ransomware

San Francisco latest victim of ransomware

The San Francisco transit system is the latest public-sector victim of ransomware after attackers shut down ticketing machines and demanded payment.

The attack occurred on Friday, Nov. 25, with a message appearing on station workers’ computer screens:  "You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681, Enter."

By Sunday, the city’s Municipal Transit Agency said it had the situation “contained” and was restoring “systems to be fully operational.”

Meanwhile, on Friday and Saturday, riders on Muni -- San Francisco’s light rail system -- were met with signs on ticketing machines saying the trips were free. More than 700,000 people ride Muni every day, according to SFMTA numbers, but it’s not clear how much revenue was lost because of this attack.

The transit agency’s website confirmed the attack was ransomware but didn’t provide details because it said it is still investigating the incident, according to The San Francisco Examiner.  But The Examiner learned the attacker was asking for $73,000 in bitcoin to turn the system back over to the city. SFMTA said its systems are operating regularly now, but haven’t commented on whether the ransom was paid.

“Transit service was unaffected, and there were no impacts to the safe operation of buses and Muni Metro,” SFMTA said on its website. No customer info was taken, the agency added.

Media outlets contacted the email address in the ransomware message. In a response to an inquiry from The Examiner, hackers using the name “Andy Saolis” confirmed they were behind the attack, which they said was launched for financial reasons. When contacted by The Verge, the attackers responded that they weren’t seeking media attention and the SFMTA systems were easily penetrable.

“we don't attention to interview and propagate news !” the response sent to The Verge read. “our software working completely automatically and we don't have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don't want deal ! so we close this email tomorrow!”

Multiple studies have shown an increase in ransomware in 2016. The number of ransomware families has increased to about 100, and the average ransom is $679, according to a Symantec report. “As ransomware gangs continue to refine their tactics, organizations cannot become complacent,” the report said. “Businesses should continue to review and improve their security in the face of this rapidly evolving threat.”

“Modern transit systems are heavily dependent on a variety of information technology systems and therefore are naturally “at risk” to a wide spectrum of cyberthreats,” according to a 24-page report on cybersecurity considerations for transit systems from the American Public Transit Association. “Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data.”

The Examiner learned through its interview with “Saolis” that the infection was spread via an administrative-level computer after a user downloaded a file. Phishing can be hard to stop, according to cybersecurity experts. “Regardless of the level or amount of technology deployed as part of any security system, it is the human element that will remain the weakest link in any security system,” APTA said.

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at mleonard@gcn.com or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.


inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group