Hacker holds San Francisco railway to ransom, demands 100 bitcoins

The San Francisco Municipal Railway (MUNI) has fallen victim to a ransomware attack. The entire ticketing system was taken offline on Friday evening, and stayed down all day Saturday, with the message: "You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681” appearing on MUNI agents’ computer screens.

With no way to collect fares over the weekend, ticket staff was sent home and the turnstiles were opened. Signs were taped to ticket machines all day Saturday indicating the rides would be free.

“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” Paul Rose told CBS news. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

Gizmodo recently received details from the hacker, who uses the name Andy Saolis, a commonly used pseudonym in similar attacks. They claim to control 2,112 of the computers in MUNI’s 8,656 strong network, including all ticket machines. The hacker also named several compromised servers and workstations, some of which appear to be email servers, and threatened to release 30 gigabytes of sensitive information, including data from customers.

“We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers…”

• Andy Saolis

The hacker is demanding 100 bitcoins (US$73,000) to return control of the computers, and told the SF Examiner, “We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” According to the MUNI annual operating budget, ticket sales generate around $559,000 per day, roughly seven and a half times more than the ransom.

A local neighborhood news site, Hoodline, also contacted the hacker using the email provided in the attack. They gave Hoodline a unique bitcoin address, which has received five small payments since the news site published it, worth about $18. However, MUNI will have received a separate address that has not been made public.

Further details include the software used to mount the attack, HDDCryptor. According to Trend Micro, a leading producer of anti-malware software and ransomware investigator, the strain of ransomware is an extremely effective one.

“HDDCryptor can infect systems as an executable unsuspectingly downloaded from malicious websites or as a file dropped by other malware,” Trend Micro explains. The software provides the ability to take over the target’s hard drive with a flexible range of infection options, which the company describes as, “a very serious and credible threat not only to home users but also to enterprises.”

The software uses 2048-bit encryption, according to the Hacker. Digicert estimates that it would take about 6.4 quadrillion years on a modern desktop computer to break, which is longer than modern science expects matter in the universe to exist. However, MUNI may be able to restore their system from backups.

“We are focused now on working to investigate the matter fully to find out all other details, but at this point there is no impact to transit service, to our security systems or to our customers’ private information.”
— – Paul Rose, MUNI spokesperson, as reported by SFGate

While products from McAfee, Kaspersky, and MalwareBytes are designed to help stop some ransomware attacks before it happens, the best safety measure has always been to take great backups and be able to restore without much downtime.

Other services like Chubb help with recovery efforts, providing more of an insurance policy than an IT defense plan. The FBI states that, “the easiest thing may be to just pay the ransom.” Joseph Bonavolonta, FBI Assistant Special Agent in Charge of the Cyber and Counterintelligence Program, said “The ransomware is that good… To be honest, we often advise people just to pay the ransom.”

A similar attack occurred in February, when a smaller hack took down the Hollywood Presbyterian Medical Center system in Los Angeles for 12 days. The hospital reportedly paid a 40 bitcoin ransom to regain control of their system. The following month another hospital in Henderson Kentucky reported a similar attack.

This has become so widespread that large businesses commonly stock up on bitcoins in order to pay ransoms. 33 percent of British companies with more than 250 employees, polled by Citrix, are now holding bitcoin for this very purpose. More than half of companies with 501-1000 employees are also doing so.

However, bitcoin’s blockchain records all transactions. New York blockchain forensics startup Chainalysis is one of many businesses that trace payments across the blockchain. After going through a successful Barclay’s accelerator program, the company was named official investigator of the lost MtGox bitcoins.

Earlier this summer, Chainalysis CEO Michael Grønager stated that great progress is being made working with the police, “Expect to see some arrests soon as law enforcement agencies wrap up their investigations into several ransomware operations.”