San Francisco Transit Agency Recovers From Ransomware Attack

SF Muni was infected with ransomware, prompting the agency to turn off ticket machines and faregates to minimize any potential risk or inconvenience to Muni customers.

by / November 28, 2016

Black Friday shoppers in San Francisco may have saved a little more than they originally anticipated.

Residents waking up from their turkey-induced comas and looking to hitch a ride to Union Square from the San Francisco Municipal Transportation Agency (SFMTA) were given free fare due to an apparent cyberattack on the agency's computer system -- an issue that has been contained, according to an SFMTA statement.

The attack occurred on Nov. 25, when the SFMTA was a hit with ransomware -- a type of malware that typically infects a system through an email attachment, limiting users from accessing their own system. All of the data is then encrypted and the hacker demands a ransom for the encryption key.

In the attack on SFMTA, the malware affected 900 office computers and access to various systems, including the payroll system, according to the statement, which also specified that there will be no impact to employees' pay. The agency also stated that its network was not breached from the outside, nor did hackers gain entry through SF Muni's firewalls.

"Muni operations and safety were not affected. Our customer payment systems were not hacked," according to the statement, which notes that existing backup systems allowed SFMTA to get most affected computers up and running on the morning of Nov. 29. The IT team anticipates having the remaining computers functional in the next day or two.

Turning off the ticket machines and faregates in the Muni Metro subway stations from Friday until 9 a.m. Sunday was a precaution, according to the statement. "This action was to minimize any potential risk or inconvenience to Muni customers."


The message from the hacker to SFMTA read: "You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” Yandex is a Russian internet company that operates the most popular search engine in the country, along with email and social networking tools.

According to several reports, the hackers demanded 100 Bitcoin (roughly $70,000) in return for the encryption key to unlock the data. The Blockchain Locker, which is available for anyone to see, has received only 0.0227761 BTC ($16.62 USD). The computers were infected with HDDCryptor ransomware, which targets Windows machines, according to one report.

According to The Verge, the hacker messaged the agency back, threatening to release data on Muni’s employees and customers if his ransom is not paid. 

"I hope company try [sic] to fix it correctly and we can advise them," the hacker wrote. "But if they don’t, we will publish 30G databases and documents include [sic] contracts, employees data, LLD Plans, customers."

But the statement from SFMTA specifies that despite media reports, no data was accessed from any of the agency's servers. Upon discovering the malware, the agency immediately contacted the Department of Homeland Security (DHS) to identify and contain the virus, and is continuing to work closely with the FBI and DHS on the situation.

Paying the ransom, according to the SFMTA, was never an option.

"We have an information technology team in place that can restore our systems, and that is what they are doing."