After three days without payment, an unnerved hacker that infected computer systems with ransomware operated by the San Francisco Municipal Transportation Agency threatened to leak 30 gigabytes of sensitive data late Monday night. SFMTA spokesperson Paul Rose is calling the hacker’s latest threat a bluff, and one report says a security researcher traced the attacker to a computer in Iran.
News reports have greatly exaggerated, according to Rose, the actual impact of this infection and number of devices controlled by the hacker. Existing backup systems allowed SFMTA to get most affected computers up and running on Monday morning. An in-house IT team anticipates having the remaining computers functional by Wednesday night.
“Despite media reports — no data was accessed from any of our servers,” Rose said in an email to CyberScoop. “The malware used encrypted some systems mainly affecting computer workstations, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Our customer payment systems were not hacked.”
Rose says that SFMTA is working with the FBI and the Department of Homeland Security to fully investigate the incident in an effort to identify the perpetrator behind the headline-grabbing cyberattack.
On Friday, SFMTA employees and riders found that company computers, email and payroll systems were held hostage. The hacker requested a ransom of roughly $73,000 in bitcoin for restored access, leaving an email address, email@example.com, and name, Andy Saolis, in public view.
“The primary impact of the attack was to approximately 900 office computers. The SFMTA’s payroll system remained operational, but access to it was temporarily affected,” Rose said. “SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems and that is what they are doing.”
A report by Brian Krebs, the Washington Post journalist turned cybersecurity blogger, says an unnamed security researcher claims to have doxxed Saolis. The hacker compromised Saolis’ apparent email, leading ultimately to the discovery of an attack-staging server equipped with different hacking tools.
Basic server registry and log activity information point to an internet address in Iran with several names attached to it, including “Alireza,” according to Krebs’ sources. Based on a review of the attacker’s bitcoin wallet, it also appears the ransomware operator behind the aforementioned SFMTA operation was able to successfully extort several manufacturing firms in the past.