Hackers have long been using ransomware to lock down victims’ computers and extort them for as much money as possible. But Saturday, ransomware seemed to reach a new milestone when San Francisco’s Municipal Transportation Agency was hit by an attack that disrupted its internal computer systems and resulted in a day of free fares for riders.

“You Hacked, ALL Data Encrypted,” the attackers wrote in a message that appeared on the agency’s computers over the weekend. “We don’t attention to interview and propagate news!” the hackers added in later messages. “Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don’t want deal! So we close this email tomorrow!”

Minor Disruption

The hackers demanded a ransom of 100 bitcoins to unencrypt the agency’s systems, worth around $70,000. But the attack seemed to have resulted in little more than annoyance for transit authorities and an unexpected post-Thanksgiving gift for riders who were treated to free rides Saturday. The system was back online by Sunday morning.

“Transit service was unaffected and there were no impacts to the safe operation of buses and Muni Metro,” the agency wrote on its blog following the attack. “Neither customer privacy nor transaction information were compromised. The situation is now contained, and we have prioritized restoring our systems to be fully operational. As this is an ongoing investigation, it wouldn't be appropriate to provide additional details at this time.”

The extortionists appeared to have used a tool called HDDCryptor, a relatively new ransomware tool capable of attacking a broad range of targets including storage drives, folders, and files. In September, security research firm Trend Micro identified the program as a serious threat to home users and enterprises.

The Shape of Things To Come?

Although the weekend attack ultimately resulted in little disruption to San Francisco’s transit system, it nevertheless represented a new development in ransomware attacks that target critical infrastructure.

In this case, the attack seemed to have originated from overseas, if the attackers’ broken English is any indication. The hackers also made use of the email address [email protected] to communicate with the agency. Yandex is an Internet company in Russia, a country that has been the subject of multiple accusations of state-sponsored hacking.

If the hackers were indeed members of a state-sponsored hacking collective, the relative success of the attack could represent a troubling preview of things to come, with foreign actors able to target key national infrastructure for profit or other motives.

Eight years ago, a hacker in Lodz, Poland, succeeded in derailing four vehicles after hacking that city’s transit system. And researchers have discovered vulnerabilities in other transit systems across the U.S. that could also be taken offline by similar attacks.

Image Credit: SFMTA.