Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ransomware Attack Disrupts San Francisco Rail System

A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.

A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.

Through Saturday and into Sunday, passengers were able to ride for free, some thinking it was a Black Friday holiday promotion. The station computers, however, showed the message “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

SFMTA has so far given little official information, but did say the attack disrupted some internal computer systems, including email.

Spokesperson Paul Rose announced, “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact. Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.” Later, on Sunday, he said, “All fare gates are operational, as of this morning.”

Although the attack only had real public visibility from Saturday, CBS Local commented, “Inside sources say the system has been hacked for days.”

Researchers recognized the email address in the on-screen message and have engaged the person at the other end. This makes it fairly certain that the ransomware used in this attack is a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares. One of the replies from the Yandex account claimed, “All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!” and demanded 100 bitcoins (about $73,000) for the decryption key. At this point it seems as if the attacker wasn’t sure whether he was speaking to SFMTA or not.

Further emails led to the disclosure of the bitcoin wallet address. However, the attacker was soon getting concerned, responding, “we received many email from SFMTA! how are you and what’s your position there?” In a different exchange the attacker is said to have replied, “we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”

Despite the lack of official information about the attack from SFMTA, researchers believe that these snippets of information from the attacker suggest that the malware used was a variant of the HDDCryptor ransomware known as Mamba; and that it was not a targeted attack. A phishing expedition may have tricked an SFMTA employee into handing over privileged credentials, or to visit a poisoned or malicious website.

F-Secure’s Sean Sullivan believes the hacker had presence within the network before deploying the ransomware. “Given the number of ticketing workstations affected,” he suggests, “it’s very likely that a server of some sort was compromised first, and then used as a staging server for the attack. Much like the Horry County school system incident that occurred earlier this year.” This fits with the CBS report suggesting that problems had started days earlier.

What is not known at this stage, however, is whether Muni paid the ransom or recovered from backups. If from backups, then it was achieved in good time. This possibility is somewhat supported by the attacker’s comment, “but i think they don’t want deal !” If SFMTA paid the ransom, then statistically they were lucky to have received the decryption key without demands for further money. Certainly there would be an economic reason to choose the route that would provide the quickest solution: SFMTA would lose several times the ransom demand every day in lost fares. 

Equally possible, of course, is that the ticketing system is separate and was never directly affected. Closed as a precaution, it could have been brought back on line while other parts of the network remain affected. 

Tim Erlin, a director at Tripwire, thinks this or similar is possible. “Transit providers are used to dealing with a variety of outages, so it’s not surprising that the SFMTA was able to respond quickly to the incident from that perspective. The investigation of root cause, and the extent of the breach,” he told SecurityWeek, “will take much longer than it does to simply get the system back online. Single purpose, embedded systems, like the ticketing kiosk, should be easier to completely re-image than many general purpose computers or servers. It’s likely that the SFMTA was able to return to operations without actually determining the root cause and extent beforehand.”

Thomas Pore, a director with Plixer International, thinks differently. “The ransom attack against Muni is quite brilliant as the requested extortion amount is not too greedy while the initial hack was intended to be extremely disruptive to the general public, however the hackers may not have anticipated the initial response by the San Francisco Municipal Transit Agency. The disruption to travelers was eliminated when the SFMTA allowed passengers to ride for free. By removing a driving factor from the equation, the hack loses value and the ransom will likely go unpaid.”

The reality, however, is that we won’t know what happened, or is still happening, until SFMTA delivers an official analysis of the attack. That might take some time.

“While Muni should definitely share their analysis of this breach, sharing incomplete information during an investigation will do little to help,” comments Erlin. “Gaining a complete understanding of the extent and root cause of a breach can take a significant amount of time, as we’ve seen in other incidents.”

A brief official statement from SMFTA confirmed the attack but provides nothing new,  but confirms there were no impacts to the safe operation of buses or Muni Metro. The agency also said no customer privacy or transactional data was compromised. “The situation is now contained, and we have prioritized restoring our systems to be fully operational,” the statement reads.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.