Damage caused by San Francisco Ransomware attack


No organization or individual is safe from cyber attacks.

Criminals are bad. They are bad because they want to wreck people’s lives by using techniques such as ransomware.

Yes. Gone are the days when criminals used to “just” take you wallet and rob you at gunpoint or even break into your house and steal any valuables.

Modern criminals, that is hackers and other cyber criminals, are very clever people unlike the ones in the past who barely made it out of high school.

Hackers and other cyber criminals of today can do amazing things with their hands, mostly fingers though, and law enforcement agencies all around the world (presumably filled with graduates from some of the best universities in the world) chase after them with little success.

That doesn’t stop these hackers along with other cyber criminals from being sadness and grief to not only individuals but also to organizations, institutions and more recently key infrastructure, online and off.

How do they do it so easily?

We already gave you a hint.

Hackers and cyber criminals cause damage through the use of ransomware.

Ransomware is only one of the handful of ways hackers and cyber criminals can unleash havoc in the online world as well as in the real world.

The reason for that is ransomware versatility.

A ransomware can be used to knock out a business or even an entire facility, such as a police station or a hospital, with nothing but some of their infections.

The latest victim at the hands of hackers and cyber criminals who use ransomware is San Francisco’s very own transport system.

Last weekend saw San Francisco’s transport system get affected by a ransomware and malfunction helplessly.

More specifically though, some previously-released ransomware that was only meant for PCs back in the day, somehow, managed to sneak into computers that were located at the local Municipal Transportation Agency.

The ransomware (sent by hackers and cyber criminals) got to work very quickly and immediately hit San Francisco’s light rail system, in other words, the Muni.

What Happened After Ransomware Was Discovered in Computers At The Municipal Transportation Agency?

Home users are particularly vulnerable to ransomware attacks.

It is safe to say that whatever could have happened, happened.

The ransomware spread itself and started its work of destruction (figuratively speaking of course).

Hackers behind the ransomware attack, according to many reports published in the media, demanded a good sum of money.

A hundred Bitcoin please, seemed to be the demand.

For those not familiar with the Bitcoin market, a hundred Bitcoin is worth about seventy thousand US dollars (that’s $70,000).

The hackers also made it known that they would only release the capture Muni computer machines from their firm hold and control only when their demand was met.

The demand was a simple matter of $70,000, as we have mentioned before as well.

Did The Hackers Get Their Money?

Not quite.

The thing with ransomware attack is that there is a good chance that if a hacker hits an important facility or infrastructure, that particular facility or infrastructure might already have engineers on-site to deal with the situation.

According to many reports in the media, that is exactly what happened.

How did they know if the ransomware attack was successful or not?

Well, it was successful in one way and unsuccessful in another.

The ransomware attack on San Francisco’s transport system was successful in the sense that hackers managed to get a hold of many of their computer machines.

The ransomware attack was not successful in the sense that the hackers didn’t get what they wanted.

That is, money.

A whole $70,000 of it.

At least that is what most of the media is assuming.

Regardless of all the media reports, the likely possibility is that the hackers didn’t get paid a single dime because of the simple fact that the transport network came back online the next morning.

Hackers who wanted the $70,000 from authorities for ridding the transport network of their infection must have kicked themselves for not mounting a strong enough attack.

But that’s how this game goes.

Sometimes hackers are able to infiltrate even the most secure of facilities.

Other times, they are caught and then put behind bars.

Though that happens very rarely indeed.

Is That It? Hackers Used Some Ransomware But Didn’t Get Paid?

Security firms along with organizations themselves should invest more heavily in IT security and education.


It turns out, hackers who hacked into San Francisco’s transport system were kind enough to leave a message for all concerned parties.

On Friday as well as on Saturday, it has been revealed.

The message though, was pretty brief and was left on all Muni ticketing systems.

From the message, it did become somewhat clear that they didn’t know how to write proper English.

Or they might have been short on storage and hence decided to keep it as short as possible.

The “official” message from the hackers read,

“You Hacked, ALL Data Encrypted”

The first time you read the message, you should be able to notice the use of all caps on the word “all”.

In other words, hackers wanted to make sure that the affected party knew precisely what they were dealing with.
What the authorities were dealing with was a complete loss of data and control of their computer machines.

Unless they coughed up about $70,000 that is.

Of course, when hackers do get their hands on an important piece of infrastructure, they always make sure to explain their demands more than normal in order to extract the maximum amount of money from the victims.

In San Francisco’s transport system’s case, the hackers actually explained, in broken English though, that they did not specifically target San Francisco’s transport system.

To put it another way, the hackers wanted to relay the message that their ransomware attack was a random one.

More specifically, it was a clear indication that the Muni was hit with a ransomware that was part of a larger “spray and pray” cyber attack.

That is what most of the media is reporting as far as the ransomware attack on San Francisco’s transport system is concerned.

In an “official” message, the hackers said that they did not pay much attention (at least that is what most of the media understood from the message since the written English was terrible, to say the least) to interview and propagate news.

Then they further “clarified” that their software, which was actually a ransomware, worked absolutely automatically and hence they didn’t need to attack a certain target anywhere.

In other words, their ransomware could target any potential victim, anywhere on earth.

The hackers also explained that the San Francisco Municipal Transport Agency network was extremely wide and very open.

As a result, one of its PC/Server which was on Windows 2000 got infected by the ransomware quite easily.

What Else Did The Hackers Say?

The hackers clearly did not want to name their “invention” as a ransomware and hence kept addressing it as software, which of course it was not.

In the concluding remarks, the hackers said that because the computer machines were now infected with their ransomware, they were (patiently) waiting for some sort of contact from a person with authority, preferably from San Francisco Municipal Transport Agency.

The hackers also said that they didn’t think that people representing San Francisco Municipal Transport Agency wanted to deal with them and hence they had already decided that they would close this email message by tomorrow.

Later the official twitter account of San Francisco Municipal Transport Agency tweeted that San Francisco Municipal Transport Agency’s Fare Machines were back up and running.

What Happened To The Ransomware?

As fate would have it, the ransomware did not shut down the transport network.

In fact, the ransomware simply turned off all the machines and basically allowed nearby passengers to have free rides using the network’s services.

However, the very next day, the whole of San Francisco Municipal Transport Agency’s system was wiped clean of the ransomware infection and things went back to normal.

A spokesperson for San Francisco Municipal Transport Agency later informed Forbes via email that the San Francisco Municipal Transport Agency could definitely confirm that a cyber attack did take place.

The spokesperson continued and said that the ransomware attack disrupted some of their internet computer systems like email and others but fare gates were again operational at the time of contact.

He also said that the staff of San Francisco Municipal Transport Agency already opened them on Friday and Saturday as a precaution to minimize any possible impacts to customers and that there had been no impact to the transport service itself or any of its safety system or even to any of the service’s customers sensitive/personal information.

He concluded his statement with Forbes by saying that the cyber attack incident was not over and authorities were keeping it under investigation and hence it was not appropriate for San Francisco Municipal Transport Agency’s spokesperson to provide any kind of additional details which could affect the investigation at this point.

What About The Actual Hackers? Who Were They? Where Did They Come From?

At the time of writing this post, various reports in the media had managed to figure out that the cyber extortionists who tried to victimize San Francisco Municipal Transport Agency were actually seasoned hackers.

They were seasoned hackers in the sense that they had a pretty long history in the field of cyber attacks carried out through the use of ransomware.

The hacker’s history showed that the group had carried out similar cyber attacks many times before and always demanded ransom from the victims (that is the web users who got infected with their ransomware).

The hackers used the email address by the name of [email protected] and through it told the victims of their ransomware related cyber attacks that if they needed to have any kind of access to their personal/sensitive data ever again they would have to come up with the required amount of money in order to buy the encryption key which would unlock their machines.

Interestingly enough, one of their previous victims which had fallen to the hackers’ schemes via the same email address wrote an account of the incident.

The victim wrote on Bleeping Computer that they had managed to discover that the malware used by the hackers to infect computer machines was, in fact, HDDCryptor.

Moreover, the victim’s revelations were further confirmed by the likes of Bleeping Computer and other reports from online security firms such as Trend Micro who, both, noted a sharp increase in the activity levels that were related to the same variant of the ransomware that was used by these hackers.

The surge became prominent in the months after August.

Stephen Hilt and William Gamazo, who are both researchers at the online security firm by the name of Trend Micro, wrote in an official blog post that the HDDCryptor not only targeted resources in the network shares such as drives, folders, along with printers and serial ports with the use of Server Message Block but was nasty enough to lock the drive as well.

Trend Micro Researchers Speak On The Ransomware In Question.

The researchers from Trend Micro also wrote that such destructive routines made that specific variant of ransomware a very credible and serious threat to not only individual/home users but also to big/small enterprises.

The blog post further explained that HDDCryptor worked like a ransomware as a service (more commonly known as just RaaS) and basically embodied how little effort can be made to go a long way.

Nevertheless, the blog post stated, the most important point of the issue was how HDDCryptor utilized commercially available software to do its wicked bidding and then (ultimately) affected end users along with businesses (big and small) actually footed the bill for all the cybercriminals involved.

With that said, no one is quite sure if there is only one hacker group that is capable of carrying out such cyber attacks.

In other words, researchers have found out that various email addresses (in the past) have been connected to HDDCryptor ransomware email messages.

This could actually point out that there might be multiple criminal groups and hackers who may have access to this type of malware.

Conversely, it could also mean that the same hacker group is clever enough to use multiple email addresses in order to cover their criminal tracks.

Who Exactly Are The Hackers?

Unfortunately, no one really knows since the hackers have been pretty successful in, first, causing a massive amount of disruption and then coercing their victims to pay exorbitant amounts of ransom in exchange for the encryption key.

Back in September of the same year, one particular member of a malware-infecting hacking group used the email address [email protected] to acquire a total of four payments with each payment amounting to something between six hundred and seven hundred US dollars.



One thought on “Damage caused by San Francisco Ransomware attack

  1. I wonder now, if one of those hackers gets caught, what kind of fine will he have to pay? Or how many years of imprisonment will he get? Because this is basically stealing, and we’re talking about millions of dollars here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.