Close this search box.

Throwback Attack: Ransomware criminals hack SFMTA rail system (and then get hacked themselves)

Courtesy: Amara Rozgus

There is seldom anything good that comes from ransomware attacks, but at least San Francisco mass transit users got a few free rides during a busy Thanksgiving weekend. In November 2016, threat actors went after San Francisco’s Municipal Transportation Agency (SFMTA), hitting the city’s light rail system, better known as the Muni. The strike caused minor disruptions, including costing the underfunded transit system several days of fares, but ultimately gave Black Friday riders a holiday gift.

Hackers are always on the lookout for pain points — systems that can’t afford to shut down and are thus ripe for exploitation. That’s why hospitals and businesses like the Colonial Pipeline have become ready targets for ransomware attackers. The theory goes: If you can’t afford to pause a service, you’re more likely to pay. Taking down a major municipality’s transportation systems could have been calamitous, but the Bay Area got off fairly easy. This ransomware strike impacted the SFMTA’s internal computer systems, including email and ticketing, with the attackers attempting to extort 100 bitcoins, then amounting to about $73,000.

When station agents arrived at their booths on Friday, Nov. 25, their monitors greeted them with an ominous message reading, “You Hacked. ALL data encrypted,” along with an email address, [email protected], to contact for the encryption key. Handmade “Out of Service” signs were quickly posted over station terminals, while the SFMTA went to work trying to uncover how much damage had been done. Luckily, it seems the answer was: very little.

“On Friday, Nov. 25 we became aware of a potential security issue with our computer systems, including email,” read an SFMTA statement on the Monday after the attack. “The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports – no data was accessed from any of our servers.”

The malware reportedly affected about 2,000 of the SFMTA’s 8,000 computer systems and gained access to physical ticketing machines, which forced the Muni to turn off payment systems and open the gates to customers for the weekend. According to reports, many riders just assumed the free fares were a holiday gift from the city.

As with a typical ransomware attack, the hackers encrypted SFMTA files and then claimed they would release critical data stolen during the attack if the ransom was not paid. But the SFMTA refuted the attackers claims and reportedly refused to pay the ransom. They, instead, relied on their own backups and information technology (IT) teams to remediate the attack.

“Upon discovering the malware, we immediately contacted the Department of Homeland Security (DHS) to identify and contain the virus. We are working closely with the FBI and DHS on this matter,” read the company statement. “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day.”

By Monday, Nov. 28, the SFMTA had done that. The situation was contained and systems were back up and running.

SFMTA switch

In an interesting twist on the SFMTA story, KrebsOnSecurity reported the transit hacker was actually hacked himself by a security researcher shortly after the breach, giving the world some visibility into inner workings of the attack.

“A review of more than a dozen Bitcoin wallets this criminal has used since August indicates that he has successfully extorted at least $140,000 in Bitcoin from victim organizations,” wrote KrebsOnSecurity. “That is almost certainly a conservative estimate of his overall earnings these past few months: My source said he was unable to hack another Yandex inbox used by this attacker between August and October 2016, ‘[email protected],’ and that this email address is tied to many search results for tech help forum postings from people victimized by a strain of ransomware known as Mamba and HDD Cryptor.”

The hackers behind the [email protected] email address have a long history of encrypting files and demanding ransom payment from victims for an encryption key. From this counterhack, researchers gleaned the attack on Muni was not targeted. It was likely a so-called “spray and pray” attack, where the malicious actor used automation to move through a set of IP addresses seeking vulnerabilities. The SFMTA was just collateral damage.

In 2016, a Trend Micro blog post on HDDCryptor, said the malware “not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.”

Ransomware has been on the rise for years now — according to BlackFog’s State of Ransomware report, attacks have been up over last year every month so far in 2021. One of the reasons for this worrying trend is the barrier to entry has gone down. There are now “off-the-shelf” options that allow relatively unskilled attackers to ransom systems. The Trend Micro researchers underscored this in their post.

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals.”

Proof of concept

While the city of San Francisco seems to have avoided serious repercussion from this hack, attacks on critical infrastructure like public transportation systems have the potential to be disruptive and even endanger passenger safety. Since 2016, attacks on public transit have propagated all over the world.

In June of this year, multiple outlets reported the Metropolitan Transportation Authority in New York was breached by a group with links to China. Other ransomware attacks have been leveled against the transit authority in Fort Worth, Texas; the Southeastern Pennsylvania Transportation Authority in Philadelphia; and the Steamship Authority of Massachusetts, which ferries passengers to Martha’s Vineyard and Nantucket.

American public transit systems make a very appealing target for both hackers looking to make a quick buck and those maliciously hoping to cripple an entire city because they are often older and underfunded. They’re also relied upon daily by millions of people and can’t afford to go offline for long stretches of time.

In an email to Wired, the SFMTA attacker, who used the name Andy Saolis, wrote: “San Francisco People ride for free two days ! welcome ! But if ugly hacker’s attack to Operational Railways System’s , whats’ happen to You ? Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World ! It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety ! They give Your Money and everyday Rich more ! But they don’t Pay for IT Security and using very old system’s !”

In other words, the susceptibility of transit systems is far from a secret to the criminal underground. This attack proved the importance of having good backups, but it’s also essential transit systems separate payment and ticketing software from the operational technology (OT) that runs things like trains and buses. That’s where the real damage can be done.




Keep your finger on the pulse of top industry news