San Francisco’s Muni public transit system was reportedly hit by a ransomware attack over the weekend that took the light rail transit offline on Saturday (Nov. 26), right in the middle of the busy Thanksgiving holiday shopping weekend.
According to the San Francisco Examiner, the computer screens of Muni agents displayed the message, “You Hacked, ALL Data Encrypted” beginning Friday night. The attacker demanded 100 bitcoin (approximately $73,000) in ransom and displayed in the message to contact cryptom27@yandex.com for the decryption key.
Rather than paying the ransom, the San Francisco Municipal Transportation Agency (SFMTA) allowed patrons to ride for free until the system was back up and running again normally the following day. While the cyberattack impacted Muni’s email and internal computer system, it did not impact the agency’s ability to run the city’s bus, light rail and street car systems.
In an interesting twist of events, Brian Krebs of Krebs on Security reported that the hacker believed to be behind the attack on the SFMTA was himself hacked over the weekend.
According to Krebs, a security researcher said he compromised the inbox of the hacker after seeing a news article on the SFMTA hack. The security researcher, who asked to remain anonymous, told Krebs he was able to guess the answer to the extortionist’s secret question and then reset the email password.
Copies of messages in the inbox shared with Krebs on Security revealed that the criminal has used more than a dozen different bitcoin wallets since August to extort at least $140,000 in bitcoin from victim organizations.
“It appears our attacker has been using a number of tools which enabled the scanning of large portions of the internet and several specific targets for vulnerabilities,” Alex Holden, chief information security officer at Hold Security, told Krebs on Security. “The most common vulnerability used ‘weblogic unserialize exploit’ and especially targeted Oracle Corp. server products, including Primavera project portfolio management software.”