Ransomware takes subway users for a free ride

In late November, San Francisco’s public transport network was hit by a ransomware attack taking all ticket machines offline. Instead of shutting the transport system down, the Municipal Transport Agency decided to let users ride for free.

Public transport was free for San Francisco residents on the weekend of 26 November.

While some users thought the San Francisco Municipal Transport Agency (SFMTA) was getting into the Thanksgiving spirit, the reality was very different. Hackers had managed to infect the agency’s computers with ransomware, leaving the following message on all automatic ticketing and passenger information screens:

You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.

The cybercriminals, who likely used Mamba ransomware, asked for a ransom of 100 bitcoins, approximately €70,000.00 (for more information on Mamba, read this article by researchers at Morphus Labs).

The attack appears to have exploited a vulnerability in out-of-date software. However, the attackers’ motives are unclear, and investigations are underway.

A random attack?

Although many users expressed concern as to the safety of cities, the transport service hack may have been pure luck, judging by the cybercriminals’ comments to The Verge: “we don’t attention to interview and propagate news! our software working completely automatically and we don’t have targeted attack to anywhere.”

Ironically, the attackers also indicated they would close their e-mail account for security reasons after receiving an extremely large number of messages.


A photo published by a user on Reddit.com

Bad for business

Regardless of whether this was a random or targeted event, the SFMTA attack has wide-ranging consequences. Affected equipment must be repaired or replaced. Data security may be compromised, if no backups existed.

While a spokesperson confirmed that no ransom had been paid (an answer corroborated by the cybercriminals’ bitcoin address), the attack cost the company several days’ worth of free fares.

Ransomware attacks targeting companies are increasingly frequent. Whether targeted or not, these events are expensive exercises for organisations. In February 2016, hackers blocked an American hospital’s computers and asked for a ransom of over €3 million. After several days, this sum was reduced to €15,000.000 – and paid by the medical centre.