Industry News

Ransomware Takes San Francisco Transit Station Hostage; $73,000 Ransom Sought

San Francisco Municipal Transit Agency recently suffered a ransomware infection that affected nearly 25 percent of its network, leading to free rides for passengers.

While the transit service was not impacted, a Muni station official said the turnstiles were left open so as to not affect customers. The attackers, operating under the “Andy Saolis” alias associated with the Mamba ransomware family, demanded 100 bitcoins – roughly $73,000 – to unlock encrypted systems.

“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Paul Rose, Muni spokesperson. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

The message on infected terminals read “You are Hacked,” which is similar to what Mamba ransomware displays. It’s unclear if the same type of malware infected SFMTA’s 2,112 computers (out of a total of 8,656) but, unlike the Petya ransomware that only encrypts the system’s MFT (Master File Table), Mamba uses full-disk encryption. This makes it difficult to recover encrypted files or access any other information on the disk.

When contacted by Muni officials for payment instructions, hackers replied the following:

“if You are Responsible in MUNI-RAILWAY !

All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!

We have 2000 Decryption Key !

Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!

We Only Accept Bitcoin , it’s So easy!

you can use Brokers to exchange your money to BTC ASAP

it’s Fast way!”

Backup servers were allegedly unaffected by the ransomware infection, as Mini resumed operations of their fair payment machines the next day and the bitcoin wallet provided by cybercriminals showed no signs of bitcoin transfers. While Mini gave no details on how the systems got hacked and what data was affected, they did say they’re actively investigating the matter to avoid similar future outcomes.

For more details ransomware and how to protect yourself from it, check out our ABCs of Cybersecurity post and ransomware video.

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.