SF Muni Ransomware Hackers Threaten To Expose 30 GB Of Stolen Data Unless They Get $73K Ransom
The ransomware hackers that recently breached the San Francisco Municipal Railway public transportation system have demanded $73,000 ransom, threatening to release 30 GB of stolen data if they don't get the money.
All SF Muni rides were free on Saturday after the San Francisco Municipal Transport Agency was hacked over the Thanksgiving weekend. To gain access, hackers infected a SFMTA computer with malicious software and locked the fare gates in an open position. SF Muni services operated without disruptions, but the systems could not charge riders for the fare. The hack affected SF Muni employee emails as well.
$73,000 Ransom Or Else
The SF Muni's kiosks went back online on Sunday after recovering from the ransomware attack, but the attackers are now threatening to expose 30 GB of stolen employee and customer data, Fortune reports.
After exchanging a number of emails with the purported attackers, Fortune learned that the allegedly stolen data will become public if the SFMTA fails to strengthen its vulnerable systems and pay an undisclosed ransom by Friday. A separate report from the San Francisco Examiner, which first reported on the breach, notes that the ransom is 100 Bitcoin, meaning roughly $73,000.
Fortune asked the hackers for proof that they really do have stolen data, but the attackers refused to provide a sample for verification. Nevertheless, they said they will show the data if the SFMTA doesn't contact them. The SFMTA, meanwhile, has yet to disclose whether it plans to pay the ransom or go for a different approach.
SFMTA spokesman Paul Rose had already said that this is an ongoing investigation, and the agency can't disclose any additional information until the probe is completed.
Asking about the identity of the hacking group, Fortune obtained only one name: "Andy Saolis," a pseudonym that was previously tied to other ransomware attacks. Saolis further told Fortune that the SF Muni computer network ransomware attack was an automated breach, not a targeted one. The attack exploited old software the SFMTA uses, and it purportedly extended beyond station kiosks.
"We Gain Access Completely Random and Our Virus Working Automatically!" said Saolis. "We Don't Have Targeted Attack to them! It's wonderful!"
Saolis also told Forbes that the team behind the hack was not based in the United States, which might be one's first thought when reading the above statement. On the other hand, it takes more than broken English to corroborate the claim, so it remains unconfirmed for now whether the attackers were foreign or not.
While Fortune did not manage to get a sample of the stolen data to verify its authenticity, Hoodline reports that it has seen evidence that the breach went beyond SF Muni ticket kiosks. The hack reportedly compromised a number of other areas including email servers, payroll, NextBus operations, Quickbooks, MySQL database servers, staff training and PCs for hundreds of SF Muni employees.
Moreover, Hoodline also says the hackers have control over 2,112 computers, meaning roughly a quarter of the SFMTA's 8,656 computers.