A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or 'Muni') to progressively close ticketing machines and open the gates to its railway system.

Through Saturday and into Sunday, passengers were able to ride for free, some thinking it was a Black Friday holiday promotion. The station computers, however, showed the message "You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter."

SFMTA has so far given little official information, but did say the attack disrupted some internal computer systems, including email.

Spokesperson Paul Rose announced, "There's no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact. Because this is an ongoing investigation it would not be appropriate to provide additional details at this point." Later, on Sunday, he said, "All fare gates are operational, as of this morning."

Although the attack only had real public visibility from Saturday, CBS Local commented, "Inside sources say the system has been hacked for days."

Researchers recognized the email address in the on-screen message and have engaged the person at the other end. This makes it fairly certain that the ransomware used in this attack is a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares. One of the replies from the Yandex account claimed, "All Your Computer's/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!" and demanded 100 bitcoins (about $73,000) for the decryption key. At this point it seems as if the attacker wasn't sure whether he was speaking to SFMTA or not.

Further emails led to the disclosure of the bitcoin wallet address. However, the attacker was soon getting concerned, responding, "we received many email from SFMTA! how are you and what's your position there?" In a different exchange the attacker is said to have replied, "we don't attention to interview and propagate news ! our software working completely automatically and we don't have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don't want deal ! so we close this email tomorrow!"

Despite the lack of official information about the attack from SFMTA, researchers believe that these snippets of information from the attacker suggest that the malware used was a variant of the HDDCryptor ransomware known as Mamba; and that it was not a targeted attack. A phishing expedition may have tricked an SFMTA employee into handing over privileged credentials, or to visit a poisoned or malicious website.

F-Secure's Sean Sullivan believes the hacker had presence within the network before deploying the ransomware. "Given the number of ticketing workstations affected," he suggests, "it's very likely that a server of some sort was compromised first, and then used as a staging server for the attack. Much like the Horry County school system incident that occurred earlier this year." This fits with the CBS report suggesting that problems had started days earlier.

What is not known at this stage, however, is whether Muni paid the ransom or recovered from backups. If from backups, then it was achieved in good time. This possibility is somewhat supported by the attacker's comment, "but i think they don't want deal !" If SFMTA paid the ransom, then statistically they were lucky to have received the decryption key without demands for further money. Certainly there would be an economic reason to choose the route that would provide the quickest solution: SFMTA would lose several times the ransom demand every day in lost fares. 

Equally possible, of course, is that the ticketing system is separate and was never directly affected. Closed as a precaution, it could have been brought back on line while other parts of the network remain affected. 

Tim Erlin, a director at Tripwire, thinks this or similar is possible. "Transit providers are used to dealing with a variety of outages, so it's not surprising that the SFMTA was able to respond quickly to the incident from that perspective. The investigation of root cause, and the extent of the breach," he told SecurityWeek, "will take much longer than it does to simply get the system back online. Single purpose, embedded systems, like the ticketing kiosk, should be easier to completely re-image than many general purpose computers or servers. It's likely that the SFMTA was able to return to operations without actually determining the root cause and extent beforehand."

Thomas Pore, a director with Plixer International, thinks differently. "The ransom attack against Muni is quite brilliant as the requested extortion amount is not too greedy while the initial hack was intended to be extremely disruptive to the general public, however the hackers may not have anticipated the initial response by the San Francisco Municipal Transit Agency. The disruption to travelers was eliminated when the SFMTA allowed passengers to ride for free. By removing a driving factor from the equation, the hack loses value and the ransom will likely go unpaid."

The reality, however, is that we won't know what happened, or is still happening, until SFMTA delivers an official analysis of the attack. That might take some time.

"While Muni should definitely share their analysis of this breach, sharing incomplete information during an investigation will do little to help," comments Erlin. "Gaining a complete understanding of the extent and root cause of a breach can take a significant amount of time, as we've seen in other incidents."

A brief official statement from SMFTA confirmed the attack but provides nothing new,  but confirms there were no impacts to the safe operation of buses or Muni Metro. The agency also said no customer privacy or transactional data was compromised. "The situation is now contained, and we have prioritized restoring our systems to be fully operational," the statement reads.