San Francisco Municipal Transit Agency recently suffered a ransomware infection that affected nearly 25 percent of its network, leading to free rides for passengers.
While the transit service was not impacted, a Muni station official said the turnstiles were left open so as to not affect customers. The attackers, operating under the “Andy Saolis” alias associated with the Mamba ransomware family, demanded 100 bitcoins – roughly $73,000 – to unlock encrypted systems.
“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Paul Rose, Muni spokesperson. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”
The message on infected terminals read “You are Hacked,” which is similar to what Mamba ransomware displays. It’s unclear if the same type of malware infected SFMTA’s 2,112 computers (out of a total of 8,656) but, unlike the Petya ransomware that only encrypts the system’s MFT (Master File Table), Mamba uses full-disk encryption. This makes it difficult to recover encrypted files or access any other information on the disk.
When contacted by Muni officials for payment instructions, hackers replied the following:
“if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it’s Fast way!”
Backup servers were allegedly unaffected by the ransomware infection, as Mini resumed operations of their fair payment machines the next day and the bitcoin wallet provided by cybercriminals showed no signs of bitcoin transfers. While Mini gave no details on how the systems got hacked and what data was affected, they did say they’re actively investigating the matter to avoid similar future outcomes.