UPDATED 2:15 p.m. ET with new ransom demand from attackers.
A massive ransomware attack hit San Francisco's Muni transit system over the weekend, crippling the ticket-sales system and forcing Muni to make train and bus rides free from Friday (Nov. 25) to Sunday (Nov. 27). Tickets went back on sale late Sunday, but the attack showed how vulnerable critical-infrastructure computer systems can be, even against common malware.
Image: Twitter / @Colin Heilbut
The attack echoed the just-released video game Watch Dogs 2, in which a hacker attacks a citywide surveillance system in a fictional version of San Francisco. There's no evidence that the real-life attack specifically targeted MUNI or even San Francisco.
The malware used was a variant of the common HDDCryptor ransomware, which encrypts a victim's hard drive and spreads along internal computer networks looking for more machines. More than 2,000 Muni computers were reportedly infected and encrypted.
Because HDDCryptor won't even let a Windows PC boot up normally, all the user will see is an encryption demand in plaintext, as shown in a photo shared on Twitter by user Colin Heilbut. His photo captured the message "You Hacked, ALL Data Encrypted," on a station display, along with "Contact For Key(firstname.lastname@example.org)ID:681 ,Enter. Key:"
That Russian email address matches that of similar ransomware messages from the past couple of months. CSOonline reported that sources close to the incident said the ransomware demanded 100 Bitcoins, about $73,101 at the time of publishing. It's not known whether Muni paid the ransom, but IDG News Service noted that as of late Sunday Pacific time, no transfer had been made to the Bitcoin wallet specified in the ransom demand.
In a statement to the local CBS affliate, KPIX-TV, Muni spokesperson Paul Rose said that fare gates were left open to "minimize customer impact." Rose declined to offer further information, as the hack is an ongoing investigation.
The TV station also reported that the hack may affect Muni employees as well, noting that "SFMTA workers are not sure if they will get paid this week" and that attackers "also hit Muni's email systems."
Security researchers have been warning for years that many aspects of a modern city, including water, power, transit and even garbage-collection systems, are vulnerable to cyberattacks, although the warnings usually involve sophisticated nation-state attackers bend on cyberwar. The notion that generic ransomware just happened upon and crippled an entire public-transit system may spur more cities to beef up their infrastructure networks.
UPDATED 2:15 p.m. ET Monday: It appears that Muni didn't pay the ransom. The attackers controlling the ransomware have told VICE Motherboard that they will publicly release 30GB of confidential data they stole from the Muni payment systems. It's not clear whether the attackers actually possess such information.