This story is over 5 years old.

San Francisco Subway Hackers Now Threaten to Publicly Dump Data

Over the weekend, Muni riders could travel for free because systems were infected with ransomware. Now, the hackers have made a new threat.

Over the weekend, riders of San Francisco's municipal transit system (Muni) were allowed to travel for free because hackers had infected subway computers with ransomware. According to CSO Online, the attackers have demanded some $73,000 worth of bitcoin.

Now, the hackers have made a new threat: the release of 30GB of databases and documents belonging to the San Francisco Muni, including contracts and customer and employee data, if they don't receive payment.


"To Have More Impact to Company To Force Them to do Right Job!" the hackers, which used the moniker "andy saolis," told Motherboard in an email exchange on Monday.

"Anyone See Something like that in Hollywood Movies But it's Completely Possible in Real World!," they added, presumably referring to the rather bizarre site of a public transport system becoming infected with ransomware.

"It's Show to You and Proof of Concept, Company don't pay Attention to Your Safety!" they continued. The hackers claimed to have infected over 2,000 of Muni's systems, including payment kiosks and email servers.

According to CBS San Francisco, which first covered the hack on Saturday, the message "You Hacked" has been sprawled across Muni station monitors.

A commentator on Bleeping Computer indicated that the same hackers may have hit another target in September, and CSO Online reported that the ransomware behind the attack is a variant of HDDCryptor. According to a Trend Micro report from September, this particular strain of ransomware is pretty aggressive, targeting drives, folders, printers, and serial ports.

The hackers' latest threat appears to be on top of their use of ransomware. Often, hackers will deploy one tactic or the other: either, they will threaten a company with the release of internal data, or they will keep the victim's files locked down with malware. But seeing both in one go is fairly unusual.


However, it's not clear how many internal documents the hackers have actually stolen, if any. When asked several times to provide proof to back up their claims, the hackers told Motherboard they were still waiting for the company to contact them, and declined to send any sample files.

"we proof our capability before ! we don't want leak really but if they don't pay attention , it's will be our plan, [sic]" they wrote.


After the publication of this article, the San Francisco Municipal Transportation Agency (SFMTA) published a statement, denying that the hackers had accessed any internal data.

"The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports - no data was accessed from any of our servers," the statement read.

"The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing," it continued. The SFMTA is working closely with the FBI and DHS, the statement added.

Update: This piece has been updated to include a statement from the SFMTA, and has also been updated to clarify that the hackers are also threatening to release data about Muni customers.