San Francisco transport system ransomware attacker also extorted other US-based businesses

The ransomware attack that hit the San Francisco Municipal Transportation Agency last Friday is just one of many mounted by the same attacker.

San Francisco transport system ransomware attacker

According to an unnamed security researcher who managed to hack the attacker’s email account, a number of US-based manufacturing and construction firms have been hit before the SFMTA, and at least one of them paid the ransom.

The researcher told Brian Krebs that he managed to guess the answer to the secret question that allowed him to reset the password for the attacker’s email account (

There he discovered the existence of a backup email account ( which he also managed to compromise by using that very same answer to the secret question.

A perusal of both accounts revealed:

  • That the attacker sent a ransom demand to SFMTA infrastructure manager Sean Cunningham last Friday
  • That he’s been extorting US-based companies for months
  • That he has managed to extort at least $140,000 in Bitcoin from the various victims, and likely more, as the attacker also uses a third email account that the researcher hasn’t managed to access
  • Plaintext credentials for accessing one of the attacker’s attack servers, which contains open source tools used to scan the Internet for vulnerable servers (especially Oracle servers) and compromise them
  • The logs from the attack server point to the attacker accessing it from various IP addresses in Iran. The language used by the attacker to write down notations seems to be Persian (Farsi) – a language primarily spoken in Iran, Afganistan and Tajikistan. User account names on the attack server (“Alireza,” “Mokhi”) also point to someone of Iranian origin. But, curiously enough, the contact phone number tied to another of the attacker’s hosting accounts is provided by a Russian mobile phone provider
  • The identity of some of his victims: China Construction of America Inc., Rudolph Libbe Group, CDM Smith Inc., and so on. So far, it’s known that China Construction paid the ransom
  • That aside from asking for ransom, the attacker also offered to share tips on securing servers (for a small fee) and, in at least one case, a victimized company accepted the offer and paid for the advice.

The SFMTA did not pay the ransom, and has never even considered doing so.

“We have an information technology team in place that can restore our systems, and that is what they are doing,” a spokesperson for the agency stated on Monday.

“Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”

No data was stolen from the agency, and the attack did not affect their customer payment systems or payroll system, the spokesperson added.

This publicly revealed attack has proven (again) that ransomware is a lucrative business, and that having a good backup strategy is a must in this day and age for every business.

Don't miss