Was software piracy behind the San Francisco Muni transit system ransomware infection?

The attacker(s) claimed the ransomware was an automated attack which was triggered via a software keycode generator torrent file downloaded by someone at SFMTA.

ransomware man pointing gun out of computer security
Credit: Shutterstock

People using San Francisco’s Muni public transportation, which consists of buses, streetcars, Metro light rail and cable cars, rode for free over the holiday weekend. It’s not like SFMTA bothered to send even a tweet to inform confused Muni riders as to what was happening. Some of those people thought the free rides were part of a Thanksgiving gift or “Black Friday deal,” but anyone who happened to glance at San Francisco Muni station computer screens knew better. On Friday and Saturday, the screens all displayed:

You Hacked, ALL Data Encrypted, Contact For Key(cryptom27@yandex.com)ID:681 ,Enter Key.

Muni hacked ransomware Blorq

This is a cropped version of the ransom demand on a Muni computer screen which was posted by user Blorq on Reddit.

Yeppers, the San Francisco Municipal Transportation Agency’s (SFMTA) Muni transit system was the victim of a ransomware attack.

“Out of Service” was displayed in red across the top of Muni ticket payment machines; some also had a sticky note over the screen which read “FREE MUNI.”

SFMTA spokesman Paul Rose said the hack was discovered on Friday, but all fare machines were back to normal on Sunday. The “Muni subway fare gates were locked in an open position and could not be electronically closed;” Rose claimed the fare gates were intentionally opened to promote free Muni service.

It was not a targeted attack, according to the San Francisco Examiner. After the news outlet contacted the Yandex email address listed in the ransom note, someone going by “Andy Saolis” claimed the ransomware “infected an admin level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator.”

Instead of providing free software, the ransomware-tainted keycode generator will infect any computer which downloads and attempts to run it. Saolis told the Examiner, “Maybe they need learning something in hard-way!”

The ransom amount was 100 bitcoins, which was equal to a little more than $73,000.

The person answering the Yandex email address also told The Verge that it wasn’t a targeted attack, since the software works automatically.

Salted Hash reported the malware is likely a variant of HDDCryptor. Steve Ragan, who also exchanged emails with the attacker, said 2,112 systems were infected. On Saturday, after someone presumably from SFMTA contacted the Yandex email account, the attacker replied; part of the message stated: “All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit! We have 2000 Decryption Key!”

Yet the attacker believed he or she had received many emails from SFMTA; it’s unclear if SFMTA ever responded, but with the Yandex email address plastered on Muni screens, many people and news agencies contacted the attacker. The person replying from the Yandex email told Ragan the Yandex email account would be closed on Nov. 27 “for security reason”(s).

As noted previously, the computers for transit systems had been restored on Sunday. The bitcoin wallet where SFMTA was to send the ransom does not show 100 bitcoins, so it appears as if SFMTA did not pay the ransom.

The ransomware attack is reportedly being investigated by law enforcement.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.