San Fran Light Rail Hacked on Holiday Weekend

On Thanksgiving Weekend, ransomware took out San Francisco’s Muni transportation system. Computer screens displayed, in part: “You Hacked, ALL Data Encrypted. Contact For Key(”

Riders enjoyed free fares as a result.

There has been a surge in ransomware — a form of malware that allows hackers to block access to your data until you pay them a ransom to unlock it — the last few years. (Check out our blog on ransomware for tips to protect yourself.)

According to this San Francisco Enquirer story, the hacker was demanding 100 bitcoin, around $73,000, in exchange for the transit data the hacker had captured. According to the story, The Examiner contacted the email address displayed on the Muni screens. Someone who called themselves Andy Saolis responded to the email, and claimed responsibility for spreading the malware to Muni.

“We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” Saolis wrote.

It was not a targeted attack, they wrote, and infected an “admin” level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator, according to the story.

“Our software try to infect anything available and SFMTA station was leak point !” Saoils wrote.

Hacker Hacked

By Monday afternoon, the drama was still playing out. Saolis emailed reporters at Motherboard and Wired and threatened to release stolen data — upwards of 30 gigabytes — if the money wasn’t sent.

And then, in an ironic twist, the hacker was hacked. Security reporter Brian Krebs was contacted on Monday by a security researcher who managed to get into the hackers inbox.

The KrebsOnSecurity story reported all the juicy details, including details about other victims, and insight as to the miscreants identity and location, which looks to be Iran. Generally the attacker has been targeting manufacturing and construction firms in the United States, and most of those victims have paid up.  Based on the a review of all the Bitcoin wallets used since in the last four months, since August, it’s estimated the attacker has extorted $140,000 from victim organizations.

Back to hacking the hacker. The security researcher was able to get into the hackers email account by guessing the answer to his secret question, which allowed him to reset the password for that account. He was also able to access the backup email, which had the same secret question and answer. Further proof that good cyber hygiene is of the utmost importance.

“Truthfully answering secret questions is a surefire way to get your online account hacked,” Kreb wrote in the story. “Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions.” Instead, he advocates using gibberish or a completely unrelated answer.

The San Francisco Examiner reported the FBI is investigating the attack.


Are you covered for identity theft?
Get Covered