Roomier subway train

The San Francisco Municipal Transportation Agency (SFMTA, also nicknamed Muni) has published a statement denying rumors that the hacker who infected their systems with ransomware might have stolen data from its servers.

Late Monday afternoon, the SFMTA shed some light on the events that took place over the weekend, making sure to reassure employees that their data is safe and their paychecks will come on time.

SFMTA spokesperson Kristen Holland clarified some of the inaccurate media reports, providing a timeline of events.

Ransomware affected only 900 computers, not 2,112

According to the SFMTA spokesperson, the infection took place on Friday, November 25, and affected only 900 computers, not 2,112, as initially reported.

Holland said the ransomware, known as HDDCryptor, affected only office computers that provided access to various systems, but not the systems per se. Customer payments, employee payroll data, and emails were all safe, being kept on separate systems.

To avoid any inconvenience to Muni customers, the agency shut down ticket machines and fare gates in Muni Metro subway stations until 9 AM, local time, on Sunday. Activity returned to normal after that.

The hacker didn't steal anything

In a statement that the hacker shared with several news agencies on Monday, a man calling himself Andy Saolis said he stole 30GB of data and still had backdoors in the SMFTA network.

The agency said the hacker did not breach its network from the outside, and all claims he made based on this presumption aren't true.

Communication with Saolis is now impossible, since the hacker appears to have lost access to his email account after a researcher managed to guess the answer to his secret question, and took over his email account.

Sharing information with journalist Brian Krebs, the researchers revealed that Saolis had previously infected and successfully extorted other companies such as  China Construction of America Inc., Skillman, Irwin & Leighton, CDM Smith Inc., and the Rudolph Libbe Group. All are small companies based in the US.

SFMTA handled the ransomware infection by the book

The SFMTA spokesperson said the agency immediately contacted the Department of Homeland Security (DHS), right after they detected the ransomware infection.

The SFMTA officials did the right thing, as this is the standard procedure the FBI recommends to ransomware victims.

"The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing," Holland explained.

"Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two."

The SFMTA incident is how a company should handle a ransomware infection. The first thing companies should do is to run timely backups of all their systems. After they detect the ransomware infection, they should contact authorities, and start restoring data from backups after investigators collect any needed files.