Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ransomware Attack Disrupts San Francisco Rail System

A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.

A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.

Through Saturday and into Sunday, passengers were able to ride for free, some thinking it was a Black Friday holiday promotion. The station computers, however, showed the message “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

SFMTA has so far given little official information, but did say the attack disrupted some internal computer systems, including email.

Spokesperson Paul Rose announced, “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact. Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.” Later, on Sunday, he said, “All fare gates are operational, as of this morning.”

Although the attack only had real public visibility from Saturday, CBS Local commented, “Inside sources say the system has been hacked for days.”

Researchers recognized the email address in the on-screen message and have engaged the person at the other end. This makes it fairly certain that the ransomware used in this attack is a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares. One of the replies from the Yandex account claimed, “All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!” and demanded 100 bitcoins (about $73,000) for the decryption key. At this point it seems as if the attacker wasn’t sure whether he was speaking to SFMTA or not.

Further emails led to the disclosure of the bitcoin wallet address. However, the attacker was soon getting concerned, responding, “we received many email from SFMTA! how are you and what’s your position there?” In a different exchange the attacker is said to have replied, “we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”

Despite the lack of official information about the attack from SFMTA, researchers believe that these snippets of information from the attacker suggest that the malware used was a variant of the HDDCryptor ransomware known as Mamba; and that it was not a targeted attack. A phishing expedition may have tricked an SFMTA employee into handing over privileged credentials, or to visit a poisoned or malicious website.

F-Secure’s Sean Sullivan believes the hacker had presence within the network before deploying the ransomware. “Given the number of ticketing workstations affected,” he suggests, “it’s very likely that a server of some sort was compromised first, and then used as a staging server for the attack. Much like the Horry County school system incident that occurred earlier this year.” This fits with the CBS report suggesting that problems had started days earlier.

What is not known at this stage, however, is whether Muni paid the ransom or recovered from backups. If from backups, then it was achieved in good time. This possibility is somewhat supported by the attacker’s comment, “but i think they don’t want deal !” If SFMTA paid the ransom, then statistically they were lucky to have received the decryption key without demands for further money. Certainly there would be an economic reason to choose the route that would provide the quickest solution: SFMTA would lose several times the ransom demand every day in lost fares. 

Equally possible, of course, is that the ticketing system is separate and was never directly affected. Closed as a precaution, it could have been brought back on line while other parts of the network remain affected. 

Tim Erlin, a director at Tripwire, thinks this or similar is possible. “Transit providers are used to dealing with a variety of outages, so it’s not surprising that the SFMTA was able to respond quickly to the incident from that perspective. The investigation of root cause, and the extent of the breach,” he told SecurityWeek, “will take much longer than it does to simply get the system back online. Single purpose, embedded systems, like the ticketing kiosk, should be easier to completely re-image than many general purpose computers or servers. It’s likely that the SFMTA was able to return to operations without actually determining the root cause and extent beforehand.”

Thomas Pore, a director with Plixer International, thinks differently. “The ransom attack against Muni is quite brilliant as the requested extortion amount is not too greedy while the initial hack was intended to be extremely disruptive to the general public, however the hackers may not have anticipated the initial response by the San Francisco Municipal Transit Agency. The disruption to travelers was eliminated when the SFMTA allowed passengers to ride for free. By removing a driving factor from the equation, the hack loses value and the ransom will likely go unpaid.”

The reality, however, is that we won’t know what happened, or is still happening, until SFMTA delivers an official analysis of the attack. That might take some time.

“While Muni should definitely share their analysis of this breach, sharing incomplete information during an investigation will do little to help,” comments Erlin. “Gaining a complete understanding of the extent and root cause of a breach can take a significant amount of time, as we’ve seen in other incidents.”

A brief official statement from SMFTA confirmed the attack but provides nothing new,  but confirms there were no impacts to the safe operation of buses or Muni Metro. The agency also said no customer privacy or transactional data was compromised. “The situation is now contained, and we have prioritized restoring our systems to be fully operational,” the statement reads.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...