San Francisco rail network held to ransom in malware hack
Commuters were temporarily able to ride for free on the city's transport links

San Francisco's transport agency has been hit by a malware hack, which temporarily allowed commuters to travel for free on the network.
The malware targeted computer systems across the city's transport network, disabling them with a message that read: "You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter".
The hackers have issued a ransom demand of 100 Bitcoin, which equates to around $70,000 (56,000), for the return of full access to the system. As a precaution, all ticket machines were turned off during the investigation, according to officials.
Over 2,000 computers belonging to the Municipal Transport Agency (SFMTA), around 25% of the entire network, were infected by the malware, according to San Francisco news site Hoodline. The severity of the attack is still unclear, although the hackers have released documents pointing to essential internal functions including payrolls, email and database servers, and personal computer files of hundreds of employees.
"The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point," said agency spokesperson Paul Rose. "At this point, there are not any indications of any impacts to customers."
As the system was unable to process payments, customers were able to ride for free.
The hackers used the HDDCryptor ransomware, also known as 'Mamba', to hijack the Windows OS on the network, encrypting hard drives and locking employees out.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Operating under the pseudonym 'Andy Soalis', often used in HDDCryptor ransom attacks, the hackers gave the agency "one more day" to transfer funds into a provided Bitcoin wallet.
"The SF Muni breach reinforces the repeated concerns many cyber security professionals have over internet-connected systems and the IoT as a whole," said Javvad Malik, security advocate at AlienVault. "Whenever systems are wholly digitised and made accessible publicly, there is a risk that hackers will try to gain access."
"Segregating critical systems from public systems is of utmost importance. This also includes physical segregation, so as not to have access ports or systems in publicly accessible places," added Malik.
The Municipal Transport Agency could still avoid paying the ransom, as the system does have backups that appear to have avoided infection. However, disruption is still likely to affect employees, as one anonymous SFMTA source speaking to KPIX 5 claims: "workers are not sure if they will get paid this week".
ESET security specialist Mark James believes that although the result has been free travel, users should be concerned that transport services have failed to keep data secure.
"If the systems are infected with ransomware, then access to other systems where credit card data may be stored could also be at risk, not to mention the regular data that people often overlook, such as names, addresses, DoB, security questions and answers. All or any of this may be used at a later date to obtain more data or attempted identity theft," added James.
Fare machines are now back up after the outage, however, the agency has so far remained quiet about how they managed to restore access, or if the malware is still in control of parts of the network.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
New chapter, same partners: Keeping the channel aligned with change
Industry Insights How to maintain strong channel partnerships amid evolving strategies and market change
-
Palo Alto Networks snaps up CyberArk in identity security push
News The acquisition marks the latest in a string for Palo Alto Networks
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making