FBI, Homeland Security aid Muni on cyber attack

The Department of Homeland Security and the FBI are now working with San Francisco Municipal Transportation Agency after the transit agency was hit by a cyber attack sometime Friday, transit officials said.

Kristen Holland, deputy spokesperson for the SFMTA, wrote on the transit agency’s website that once the officials discovered the malware, they contacted DHS to help identify and contain the virus.

The malware, called ransomware, affected internal computer systems such as the transit agency’s email system and making approximately 900 office computers inoperable. A photo from the San Francisco Examiner showed a station agent computer inside a Muni Metro station that was also affected by the virus.

Holland said existing backup systems allowed the SFMTA to get most of the computers running back up Monday morning. The transit expects to get the rest of the computer running again in the next day or two.

Andy Ozment, assistant secretary for cybersecurity and communications for DHS, wrote on the homeland security’s website in April that there had been an increase in ransomware attacks across the nation. He said ransomware is a type of malicious software that once downloaded, will block access to a user’s computer until a the user pays a ransom.

He explained how ransomware may get downloaded on a computer:

“Criminals may try to persuade you to inadvertently download ransomware, which would then infect your computer. For example, if you’re visiting a website, you may see a message like, “Your computer has been infected with a virus. Click here to resolve the issue.” In these cases, the computer has not yet been infected with ransomware, but clicking the link downloads the ransomware onto your computer.”

It’s unclear though if this was the case for the SFMTA’s ransomware attack as transit officials have not yet said where the attack originated from or how it got into the transit agency’s computer system.

Ozment said once an individual downloads the software, a message usually appears that says the computer will remain locked until the individual pays the ransom.

Individuals are not the only ones vulnerable to ransomware attacks, but also government and law enforcement agencies and healthcare systems , said Ozment.

The United States Computer Emergency Readiness Team lists recommendations to prevent ransomware attacks from happening in the future on its website.

Muni Metro service and bus service were not affected by the ransomware attack, said SFMTA spokesperson Paul Rose. He added the attack did not impact safety systems inside the subway and customer personal information.

SFMTA officials working with Cubic Transportation Systems, who operate the Clipper system, shut off ticket vending machines inside the Muni Metro stations and fare gates as a precaution.

Muni riders were able to ride the subway for free partially on Friday and all of Saturday until Sunday at 9 a.m., said Holland.

Computers inside the station agents were also inoperable because of the ransomware attack, according to the San Francisco Examiner. Computers read “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

The Examiner contacted the email displayed in the message. Someone named “Andy Saolis” replied back demanding the transit agency pay 100 Bitcoin or approximately $73,000. The deadline to pay was on Monday, but has now been extended to Friday.

Holland said:

“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

On Monday the Examiner reported a new threat from Saolis, who said 30 gigabytes of information would be released that included contracts, employee data, LLD plans and customer data.

Holland said that hackers did not gain access to firewalls and that data was not accessed from any of the transit agency’s servers.