San Francisco's transport system was hit by a ransomware attack with hacker/hackers demanding a ransom of 100 bitcoins ($70,000, £56,000, €66,000). Following the attack, ticket machines shut down and passengers of the San Francisco Municipal Railway (MUNI) were allowed to ride for free, according to reports.
The hacker/hackers reportedly defaced computers across the city's transport network, including at stations, with a message that read: "You Hacked, ALL Data Encrypted. Contact For Key(email@example.com)ID:681 ,Enter".
Over 2,000 systems were hit by a variant of the HDDCrypto ransomware, according to a report by The Register. The attack affected systems including office admin desktops, email and print servers, employee laptops, payroll systems, SQL database, station kiosk PCs and lost and found property terminals.
"There's no impact on the transit service, but we have opened the fare gates as a precaution to minimise customer impact," MUNI spokesperson Paul Rose told a CBS affiliate. "Because this is an ongoing investigation it would not be appropriate to provide additional details at this point."
According to a report by The Verge, the hacker/hackers confirmed that he was seeking to work out a deal with MUNI. An email from the hacker/hackers read: "We don't attention to interview and propagate news ! our software working completely automatically and we don't have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don't want deal ! so we close this email tomorrow!"
The hacker/hackers also allegedly offered to decrypt one machine for one bitcoin in efforts to prove that systems could be restored.
According to a report by local news site Hoodline, a hacker group calling themselves Andy Saolis, launched the ransomware, also known as Mamba. Security experts speculated that the attackers might have used a phishing scam to gain access to a MUNI staffer's credentials to launch the ransomware attack.
As of Sunday (27 November) morning, ticketing machines were back up online. However, it is still unclear whether the attack has been contained. It is also uncertain, if authorities have been able to determine the identity and/or location of the attackers.