Lessons from the S.F. Transit ransomware attack

The downside to our current technological climate is that while efficiency and ease of use are ever-increasing, new threats appear daily. It is not unheard of, for instance, for transit centers to get hacked (in the United Kingdom and elsewhere). Now a U.S. transit hub has been hit by cybercriminals. The San Francisco Municipal Transit Agency’s internal network and payment systems were attacked with ransomware.

The attack began on Nov. 25, as a message appeared on SFMTA computers stating, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27[@]yandex.com)ID:681 ,Enter.” The attackers demanded a 100 bitcoin ransom, but the SFMTA did not give in. Instead, according to an official statement, the SFMTA worked in tandem with the FBI and DHS to isolate and remove the virus.

It turns out that the type of ransomware was one I’ve reported on. The culprit, according to Kaspersky Lab, was the ever irritating and dangerous Mamba, which at its worst can encrypt entire hard drives. With the internal network (i.e. sensitive email) and payment systems compromised, the SFMTA had to turn “off the ticket machines and faregates in the Muni Metro subway stations.” At that point the IT team was able to restore the systems by Nov. 28.

The system appears to be under control, but the hackers that unleashed the ransomware are claiming they have stolen data. Predictably in their threatening message, the threat actors state they want a payoff or else they “Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!”

Most security experts highly doubt the validity of the hackers’ claims. As Matthew Gardiner of Mimecast told the Kaspersky blog Threatpost, “It’s all about the money. If the transit system has its system back online, then the attackers are going to try to get money out of them another way, such as threatening to release data.”

In this case it appears that the SFMTA got lucky in the sense that it faced a cyber threat that was a bit idiotic. Once the systems were flushed of the Mamba ransomware, the hackers panicked and made unfounded claims in desperation for cash. This should serve as a warning, however, to all transit authorities that an attack can happen very easily.

Next time the hackers may be far more intelligent and far more dangerous.

Photo credit: Wikipedia/Fred Hsu

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top