San Francisco Municipal Railway riders got an unexpected surprise this weekend after the system’s computer systems were apparently hacked. According to the San Francisco Examiner, the MUNI system had been attacked on Friday afternoon.
MUNI riders were greeted with printed "Out of Service" and "Metro Free" signs on ticket machines on late on Friday and Saturday. MUNI first became aware of the intrusion on Friday, according to the Examiner.
Computer screens at MUNI stations displayed a message: "You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter." MUNI Spokesman Paul Rose spoke to the Examiner and noted that his agency was "working to resolve the situation," but refused to provide additional details.
Reached by email, the hacker confirmed he was seeking a deal with MUNI to undo the damage:
we don't attention to interview and propagate news ! our software working completely automatically and we don't have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don't want deal ! so we close this email tomorrow!
In September, Morphus Labs linked a hacker by the same name to a ransomware strain called Mamba, which employs tactics similar to those demonstrated against MUNI.
This isn’t the first California organization to face such an issue: earlier this year, Hollywood Presbyterian Medical Center discovered that its files were being held for a $3.6 million ransom. Ransomware attacks typically occur when a malicious file is downloaded onto a computer and executed. Once a victim pays the demanded ransom, the files will be decrypted.
Update, November 29th: Muni representative Paul Rose released the following statement:
We can confirm a ransomware attack. Faregates are again operational. We opened them on Friday and Saturday as a precaution. There has been no impact to transit service, to our safety systems or to our customer's personal information. The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point.
The ransomware didn’t even penetrate our firewalls. On Friday, when we first learned of the incident, our agency, along with the contractor, made a decision to open the faregates to minimize any impact to our customers who may have been making transactions at either the faregates or vending machines. Once we had more information, we again turned the faregates and machines on.