Hackers hijack Muni fare systems, demanding $73K in ransom


A message saying, “You hacked, ALL data encrypted” appeared across computer screens across Muni stations yesterday, reports the San Francisco Examiner. Fare systems crashed Saturday, which meant everyone rode for free until the system was restored. SFMTA confirmed with ABC7 that the system was indeed hacked and went back online on Sunday.

The Examiner reports that the message read, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

Here’s a photo of the hacker screen, courtesy of @kpix.


Update Sunday, Nov. 27, 5pm

It turns out that the alleged hacker might be holding Muni in virtual hostage, as The Verge reports. The Verge reports that the hack might be “ransomware” called Mamba. The malware essentially locks up your data unless you pay a ransom.

Forbes also reports that hackers have been using this ransomware variant since this summer:

One victim who’d been targeted by the same mail address wrote on Bleeping Computer that they’d discovered the malware in use was HDDCryptor. Bleeping Computer and security firm Trend Micro both noted a surge in activity from that ransomware variant from August onwards.

Both The Verge and the San Francisco Examiner said they got in touch with the person who owns the email address in the hacker’s message, and here’s what the Examiner found out:

Meanwhile, one person who may have spread the malware which disabled Muni computers said they want $73,000 as ransom in exchange for captured transit agency data, the San Francisco Examiner has learned.


The Examiner contacted the email address displayed on the hacked Muni screens and someone calling themselves “Andy Saolis” responded, and said they spread the malware to Muni.


City transit officials would not confirm the identity of the attacker, and Saolis said transit officials had not yet contacted them.

“We do this for money, nothing else ! i hope it’s help to company to make secure IT before we coming !” Saolis wrote.

The hacker told the Examiner that someone at the SFMTA may have downloaded a torrented computer file, and that “SFMTA station was the leak point.” The hacker demanded to be paid only in Bitcoins, according to the Examiner.

Some Muni fare machines are back online, though Hoodline, which also contacted the hacker, reports that the hackers claim to control 2,112 of SFMTA’s 8,656-computer network.

According to Hoodline:

SFMTA’s backup servers did not appear to be among the thousands of impacted machines, which could allow the agency to avoid paying the ransom and restore their computers from previous copies of their system data. However, depending on how old the backups are, they still could risk losing critical information.

Updated Monday Nov. 28, noon:

Hackers apparently extended the payment deadline from Monday to this Friday, though train operations remain normal and the SFMTA says they have no plans of paying the ransom, according to the San Francisco Examiner. Forbes and Boing Boing also reported that the hacker did not single out Muni as a target, but rather the malware works automatically to find vulnerable systems.

“The alleged attacked said they are not attempting to gain control of train operations, which are run by computer,” the San Francisco Examiner‘s Joe Fitzgerald Rodriguez reports.

Hackers told the Examiner that, through a Windows 2000 PC server at the SFMTA, they were able to get access to “all payment kiosk and internal automation and Email,” and threatened to release 30 gigabytes worth of contracts, employee data, “LLD plans,” and customer data.

However, the SFMTA says that customer data is not at risk. “We’ve never considered paying the ransom,” SFMTA spokesperson Paul Rose told the Examiner, “because we have in-house staff capable of recovering all systems, and we’re doing that now.” Rose also said that there was no disruption to transit service.

Photo by Joe Fitzgerald Rodriguez

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *