San Francisco public transport ticket system shut down by ransomware

San Francisco's Municipal Transportation Agency was caught with a HDDCryptor Ransomware infection over the weekend, leaving the agency unable to sell tickets or charge customers for transport, unless they pay the hackers demands of 100 Bitcoin.

Commuters enjoyed free travel on the city's public transport as the attack made authorities leave turnstiles open
Commuters enjoyed free travel on the city's public transport as the attack made authorities leave turnstiles open

A ransomware attack on the San Francisco Municipal Transportation Agency (SFMTA) has led to the potential exploitation of thousands of ticketing machines.

SFMTA computers were disabled throughout the network and city employees were presented with the message,"You Hacked, ALL Data Encrypted. Contact For Key (cryptom27@yandex.com) ID:681, Enter”. The attacker, calling himself Andy Saolis,  has demanded 100 bitcoins (£58,700) for the return of service. In all, 2112 of the agency's 8656 computers were compromised, according to the hackers

The attack was made using HDDCryptor Ransomware, also known as Mamba, which rewrites a computer's Master Boot Record.

Hoodline, a local news agency, reported that the attackers released several pieces of information about the attack, including a list of the affected computers and a bitcoin wallet in which to deposit the ransom. The attack also appears to have compromised critical assets like payroll, a MySQL database and email servers as well as employee's personal computers.

The news was first reported on 26 November and service apparently returned to the computers by the evening of the next day. It is not yet known if the attack is still being fought off. 

A spokesperson for the agency, Paul Rose, said that SMFTA couldn't give details as an investigation was underway but that there was "no impact to our safety systems or to our customer's personal information."

Thousands of SFMTA ticket machines were shut down and while the attack was in effect commuters enjoyed open turnstiles and free travel. Rose added that, "Faregates are again operational. We opened them on Friday and Saturday as a precaution to minimise any possible impacts to customers."

This particular case raises an interesting question, according to Wieland Alge, VP and GM EMEA at Barracuda Networks. “What makes this particular ransomware incident interesting is that the attack affected public-facing ticketing machines. The majority of ransomware attacks take place behind closed doors, with the public sometimes never finding out about them. The hackers that hit the San Francisco transport systems did so in a very public way.”

Hoodline also reported that the agency stands to lose US$559,000 (£449,702) each day that the turnstiles remain open.

Jon Geater, CTO at Thales e-Security, told SC, “Cyber-security is not and cannot be a choice between ‘black and white' or on and off – it's about making an economic decision. This breach didn't directly take the barriers off line: the operator chose to turn them off and forego revenue, or catching fare cheats, in favour of protecting the wider system and possible further data-losses.”

Transport itself has not been affected but this attack may prompt fears of an attack on critical infrastructure, which could paralyse a city, or worse. The BlackEnergy attacks of early 2016 cut off power to hundreds of thousands of Ukrainian citizens in the dead of winter. This serves as just one example of an attack which doesn't just steal data in a relatively benign way, but disrupts the real world in potentially devastating ways.

Geater added, “Businesses are feeling the unintended consequences of putting massively connected and sensitive systems online and into the real world, and this is where robust cyber-security techniques, and trust management, really come into play.”

Connected systems which the tech industry seems increasingly enthusiastic about doing, could be at fault here, Jonathan Sander, VP of product strategy at Lieberman Software told SC: “Anything that runs software connected to a network can be a ransomware target, as riders of the San Francisco Municipal Railway found out this weekend. San Francisco is part of the world capital of technological advancement – the Bay which includes Silicon Valley. It's no surprise that the systems running their trains are hyperconnected and therefore vulnerable to this kind of attack.”

Javvad Malik, Security Advocate at AlienVault added, “The SF Muni breach reinforces the repeated concerns many cyber-security professionals have over internet-connected systems and the IoT (internet of things) as a whole. Whenever systems are wholly digitised and made accessible publicly, there is a risk that hackers will try to gain access." 

"Segregating critical systems from public systems is of utmost importance. This also includes physical segregation, so as not to have access ports or systems in publicly accessible places."


Sign up to our newsletters