Hackers infected a computer network operated by San Francisco’s public railway system with malicious software over Thanksgiving weekend.
After two days of interrupted ticketing service and free rides for passengers, the railway’s station kiosks went back online on Sunday. A day later though, the hackers were still threatening to expose 30 Gigabytes of stolen employee and customer data, Fortune learned through a series of email exchanges with the alleged attackers.
The group said that it would release the supposedly stolen information if the agency failed to fix its vulnerable systems and pay an undisclosed sum by Friday. The attackers refused to send Fortune a sample of the data for verification, writing that “i show you later if they don’t contact us.”
Get Data Sheet, Fortune’s technology newsletter.
The San Francisco Municipal Transportation Agency did not immediately reply to Fortune’s request for comment about whether it planned to make the payment or address the issue in some other way.
Paul Rose, an agency spokesperson, has said that “there is an ongoing investigation and it wouldn’t be appropriate to provide additional details,” according to the San Francisco Examiner, which first reported the computer network outage.
What happened
Starting Friday afternoon, the ticketing machines of San Francisco’s railway, known locally as Muni, read “You Hacked, ALL Data Encrypted.” The message, consistent with a ransomware attack, urged people to contact the operator of the email address cryptom27@yandex.com for a key.
The “key” referenced is an encryption tool that can scramble and unscramble data. Cybercriminals commonly use these keys in conjunction with phishing scams to lock people out of their digital files, and to extort them for regained access.
In this case, the attackers reportedly demanded 100 Bitcoins, or roughly $73,000, in ransom, according to the Examiner. So far, the Bitcoin address in question has recorded three transactions totaling a mere 0.002409 Bitcoin, or less than $2.
https://twitter.com/SF_CA_RR/status/802702146793783298
Who the hackers are
In response to an emailed inquiry from Fortune, the hacker group identified itself as “Andy Saolis,” a pseudonym linked to a number of other ransomware incidents.
Saolis told Fortune that the railway computer network ransomware strike was an automated attack rather than a targeted one, that it exploited outdated software used by the agency, and that the breach extended beyond station kiosks.
The agency is “using very old system’s !” the person behind the email address said. “We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …!”
“We Gain Access Completely Random and Our Virus Working Automatically !” he continued. “We Don’t Have Targeted Attack to them ! It’s wonderful !”
Saolis suggested that the hack involved a team based outside the U.S., although it was impossible to confirm the claim.
“We Don’t live in USA,” he said. “Sorry For My English anyway ;)”
Fortune requested a sample of stolen information to verify the attackers’ claims of having access to 30 GB of stolen data, but the email address administrator declined.
Hoodline, a Bay Area news blog, reported that it had, however, seen evidence suggesting that the compromise extended beyond Muni ticket payment terminals. The breach also appears to encompass “payroll, email servers, Quickbooks, NextBus operations, various MySQL database servers, staff training and personal computers for hundreds of employees,” the blog reported, citing documents released by the attackers.
The hackers also claimed to have control of 2,112 computers, or about a quarter of the 8,656 computer on the agency’s network, Hoodline reported.
A CBS News affiliate posted on Twitter an image reportedly depicting an employee’s affected Dell desktop PC.
.@sfmta_muni giving free rides today because hackers shut down the computer system. Employee computers showing this pic.twitter.com/fvVnUayWVG
— CBS News Bay Area (@KPIXtv) November 27, 2016
The malware
The software used to hijack these computers is believed to belong to the malware strain known as HDDCryptor or Mamba. The program affects Microsoft Windows computers by encrypting their hard drives until unlocked by a certain password.
Computer security experts call the kind of cybercriminal tactic that led to the infection “spray and pray.” Crooks, in other words, use an automated system to blast prospective victims with links to malware, or lure them to a boobytrapped webpage.
In this case, the attackers said that an IT admin at the transportation agency downloaded one of their malware-laced a torrent files, a type of data format, according to the Examiner.
Reports of ransomware infections have been on the rise recently. The Federal Bureau of Investigation has been warning businesses to be on the lookout for attacks.
