A ransomware attack took ticket machines for San Francisco’s light rail transit system offline all day Saturday during one of the busiest shopping weekends of the year, but rather than shutting down, the agency decided instead to let users ride for free.
The San Francisco Municipal Transportation Agency, known as Muni, reported that agents’ computer screens displayed the message “You Hacked, ALL Data Encrypted” beginning Friday night.
The attackers demanded 100 Bitcoins, worth about $73,000, the San Francisco Examiner reported. The agency did not respond to questions about whether the amount was paid.
The cyber crime disrupted Muni’s internal computer system and email but did not affect the actual running of the transit agency, which runs buses, light rail, historic streetcars and the city’s famed cable cars.
The system provides 735,000 trips per day but the free rides were only on the light rail portion when patrons were boarding in the city’s subway stops, which must be accessed by stepping through fare gates.
The ticket machines at those stops instead carried pink “Out of Service” messages, along with hand-written signs saying “Metro free.”
” The fare gates were closed on Friday and Saturday as a precaution, to minimize any impact tO customers. They were operational again on Sunday.Neither customer privacy nor transaction information was compromised ” Muni said in a release.
“Encrypting files and asking for ransom has been a popular method of attack in recent years. Earlier this year, the Melrose Massachusetts Police department actually paid the ransom to unlock their files,” said Tim Erlin, senior director of IT security and risk strategy for the security firm Tripwire.
The majority of ransomware infections do not go public because they are often small in size and do not have a large impact, said Jason Rebholz, director of professional services at The Crypsis Group, a security firm.
The San Francisco incident became public because it touched a large number of systems responsible for daily operations. “These ransomware events, while more rare than typical ransomware infections, typically result in public notification due to the widespread impact,” Rebholz said.
It’s unlikely the transit system was specifically chosen, as a target as ransomware is generally a very opportunistic and financially motivated attack method, said Kevin Albano, global lead for threat intelligence with IBM X-Force.
“Recently, these campaigns have started to become a little less indiscriminate, casting a wider net to see what they’re able to compromise. Once they infect their targets, the hackers can always adjust the price if a higher value target is caught in their net,” he said.