SF MUNI hacker lashes out, threatens to release 30GBs of compromised data

Attacker says that those who received free rides due to his work should be grateful

muni subway sanfrancisco

A woman waits for a MUNI train at the Embarcadero station in San Francisco, California.

Credit: REUTERS/Robert Galbraith

The person claiming responsibility for the attack on San Francisco’s MUNI says the SFMTA has lax security, and warns that if the ransom isn’t paid, they’ll release 30GB of compromised data.

The demands follow a weekend of headaches for SFMTA, after MUNI was targeted shortly before the Thanksgiving holiday, resulting in systems that were encrypted and held for a $73,000 ransom.

On Sunday, Salted Hash revealed that 2,112 MUNI systems were infected with hard drive encrypting malware. The person responsible for the attack, who maintains a Yandex email account that has been linked to similar incidents, demanded 100 Bitcoins for the decryption keys, or just over $73,000 USD.

While more than 2,000 systems were compromised by the malware, 8,656 systems were exposed to the attacker, and it still isn’t clear why they were not compromised as well.

Shortly after the attack, SFMTA started allowing passengers to ride light rail free of charge, in order to minimize customer impact, as the malware impacted desktops, laptops, servers, and other critical systems.

SFMTA hasn’t responded to questions about the incident, and there are mixed reports of systems being restored to working order in some areas.

Given that ransom hasn’t been paid, and hard drive encrypting malware such as this can’t be defeated by basic restoration from backups (in most cases you'll have to re-image the drive), it is possible SFMTA / MUNI administrators have begun replacing or imaging hard drives.

On Monday afternoon, the owner of the Yandex email account reached out to Salted Hash and expressed frustration over the lack of payment, given how much money MUNI earns each day from passengers. The email also expressed frustration over what is considered to be a poor stance on network security by SFMTA.

The message, printed in full below with no edits, goes on to warn that if payment isn’t made, such inaction will trigger the release of 30GBs of compromised data, allegedly taken during the hack that exposed the MUNI network to the cryptor malware.

San Francisco People ride for free two days ! welcome !

But if ugly hacker’s attack to Operational Railways System’s , whats’ happen to You?

Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World!

It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety !

They give Your Money and everyday Rich more! But they don’t Pay for IT Security and using very old system’s !

We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …!

We Gain Access Completely Random and Our Virus Working Automatically ! We Don’t Have Targeted Attack to them ! It’s wonderful !

If some Hacker Try to Hack Your Transportation Infrastructure Target-Based , it’s Have More Impact!

We Don’t live in USA but I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!

Sorry For My English anyway ;)

I Hope anyone Agree With us ,help and Donate us in Bitcoin !

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.