Ransomware known as HDDCryptor (or Mamba) has infected 2,112 computers belonging to the San Francisco Municipal Railway system (nicknamed Muni).
The infection took place over the weekend and Muni officials had to allow locals to ride the railway system for free after they couldn't issue tickets.
The San Francisco Examiner reports that 2,112 of Muni's 8,656 computers were infected, including the institution's payment and railway scheduling system. The email system was also affected.
Due to the ransomware's impact officials had to assign routes via handwritten notes posted on bulletin boards.
In some cases, the ransomware message was visible to Muni passengers, as it affected computers showing advertisements, route information, or time schedules. Ticket booths were down all across the city. San Francisco local Colin Heilbut took a snapshot of one of Muni's infected computers and posted it on Twitter.
Another photo also posted on Twitter showed out of service ticket dispensers.
The message that appeared on the screen of Muni computers reads: "You Hacked, ALL Data Encrypted. Contact For Key(email@example.com)ID:681 ,Enter."
This is the typical message shown by HDDCryptor variants, a type of diskcryptor ransomware that rewrites a computer's MBR (Master Boot Record) boot sectors and locks users out of their PCs.
This variant, called HDDCryptor or Mamba, appeared at the start of 2016, but continued to make victims all year. Bleeping Computer published an article on the ransomware's technical capabilities back in September.
About a week after our article, a user reported an HDDCryptor infection on the Bleeping Computer forums that featured the same email address as the one used in the Muni attack.
Bleeping Computer reached out to the ransomware author via email but has yet to hear back. Nevertheless, the author had responded to a few media inquiries from local San Francisco newspapers.
Calling himself Andy Saolis, the ransomware author said this was an accidental infection, and that he didn't specifically target San Francisco's Muni system.
He also said Muni officials have to pay $73,000 (100 Bitcoin) to gain access back to their computer network.
In a separate answer provided to The Verge, Saolis hinted that Muni officials won't pay the ransom and that he'll close his email account to avoid further scrutiny.
If Muni officials would decide to pay, they wouldn't be the first. Back in February, the Hollywood Presbyterian Medical Center agreed to pay $17,000 for a ransomware infection. The attacker initially asked for $3.6 million, after infecting most of the hospital's computer network. Similarly, the Horry County school district in South Carolina also agreed to pay $8,500 after suffering a similar faith.
UPDATE: Saolis has replied to Bleeping Computer's inquiry and the hacker had some interesting information to share.
First and foremost, Saolis acknowledged that he didn't target Muni specifically, and that it was an accidental infection.
"We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …! We Gain Access Completely Random and Our Virus Working Automatically ! We Don’t Have Targeted Attack to them ! It’s wonderful !," the hacker wrote.
Surprisingly, Saolis said that he still has access to Muni's systems even now.
"Yes we have many backdoor and vulnerability there ! i don't Try to gain access to Operational Railway System's because it's maybe Dangerous For ppl," the hacker wrote.
He also says that he stole internal company documents, which he's ready to release online if the company doesn't pay the ransom and fix their systems.
"We Don’t live in USA but I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!"
The hacker is not yet ready to release the data, though, and says he's still hoping Muni officials decide to pay him. Saolis declined to provide a sample of the database to Bleeping Computer to validate his claims.
We also updated the article to remove the mention that Saolis initially hacked Muni through a Windows Server 2000 machine. We misunderstood the hacker's English (not native language). He was saying he hacked 2000 server/PCs.