Ransomware hits San Francisco’s transport system, users get free rides

The computer systems of the San Francisco Municipal Transportation Agency have been hit with ransomware on Friday. The infection apparently still persists on some of the systems, but others have already been cleaned and restored.

Ransomware hits San Francisco

According to The Register, some 2,112 computers, including office desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs have been compromised after the malware found its way to the company’s network’s domain controller and spread further from there.

The malware is a variant of the HDDCryptor (aka Mamba) ransomware, which encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

The ransom note left by the malware contained a Yandex email address through which to contact the criminals. They apparently asked for a ransom of 100 bitcoin (around $73,000) to be transferred into a specific bitcoin wallet, but it has yet to be paid by the affected agency.

Its spokesman did not share any details about the attack. He just said that the buses and the Muni rail system are working as usual, and that users could use those services for free starting on Friday night and all through Saturday.

Some payment/ticketing systems have now been restored, but it will likely take a while until all the affected systems are back to normal.

The attackers are apparently not interested in the data those systems contained, just the money they could get for the decryption keys. The Register contacted the attackers through the given email address, and they said that the attack wasn’t targeted. “Our software [is] working completely automatically,” they said,” and the “SFMTA network was very open.”

The attackers told the SF Examiner that the malware got into the network after someone at SFMTA ( with a computer with admin privileges) downloaded a software keycode generator containing the ransomware.

They also confirmed that they weren’t yet contacted by anyone at the agency, and that the ransom has not been paid. They also believe that it won’t be paid.

The SFMTA released a statement about the incident on Sunday, and said that neither customer privacy nor transaction information were compromised in the attack.

“The situation is now contained, and we have prioritized restoring our systems to be fully operational,” they added.


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss