The San Francisco Municipal Transportation Agency said late Monday that no data had been accessed from its servers in a ransomware attack on the Muni transit system and the agency has never considered paying the ransom asked by the attacker.
The statement by the SFMTA follows reports that the alleged attacker has threatened to dump 30GB of data stolen from the agency if the ransom of the equivalent of about $73,000 in bitcoin was not paid.
“The SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls,” the agency’s spokeswoman Kristen Holland wrote in a blog post. She did not mention how the ransomware had gotten to the SFMTA systems, though there is the possibility that it may have been activated through a link in an email or a web link by an unsuspecting insider.
The malware had been used to encrypt some systems, mainly affecting some 900 office computers as well as access to various systems, Holland added.
The attack on the transit system last week served to highlight the risk to critical, public infrastructure from cyberattacks, leading some people to voice concern about the safety of the operations of the transit system.
The post tries to address such concerns by stating that Muni operations and safety were not affected and customer payment systems were not hacked. The payroll system was in operation but access to it was temporarily affected, according to the SFMTA post.
The transit system was hit by ransomware since Friday, reportedly leading to the message “You Hacked, ALL Data Encrypted” being displayed on the computer screens at stations.
SFMTA in coordination with partner Cubic Transportation Systems decided to turn off ticket machines and faregates in the Muni Metro subway stations from Friday to Sunday morning only as a precaution. In the event, passengers benefited from a free ride during those days.
The agency has approached the Department of Homeland Security for help to identify and contain the virus, and is working closely with DHS and the FBI on the attack.
“The SFMTA has never considered paying the ransom” to the attacker, according to the post. The agency’s information technology team is restoring the systems, with all computers expected to be functional in the next day or two. Most affected computers are already back in operation, SFMTA said.
The ransomware is believed to be a variant of HDDCryptor, which uses commercial tools to encrypt hard drives and network shares, and was identified in September by Trend Micro as a threat both to consumers and enterprises as it not only "targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive."