Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How San Francisco's Transit System Warded Off Ransomware Hackers

For all Muni Metro passengers knew, the free rides they were getting Friday night and Saturday were a holiday gift from the transit system. Little did they know Muni was under attack from a hacker trying to squeeze $73,000 in ransom to unlock the agency's computer systems.

By Michael Cabanatuan and Marissa Lang

For all Muni Metro passengers knew, the free rides they were getting Friday night and Saturday were a holiday gift from the transit system. Little did they know Muni was under attack from a hacker trying to squeeze $73,000 in ransom to unlock the agency's computer systems.

Muni refused to pay up. Instead, officials shut down the system's ticket machines, threw open the fare gates as a precautionary move, and contacted the Department of Homeland Security and their own technology division to contain the attack, they said.

"Considering paying that ransom was never an option," said Paul Rose, an MTA spokesman.

By Sunday morning, the fare gates and ticket machines were up and running, and by Monday most systems were working again, Rose said.

The anonymous hacker used a ransomware attack -- malicious software sent via email -- to lock up employee computers at 900 workstations, shut down Muni's email system and knock out the time-tracking portion of its payroll system, Rose said.

The hacker displayed messages on otherwise dark computer screens declaring "You hacked," and asking for 100 bitcoins, a digital currency, or about $73,000. Muni never communicated nor negotiated with the hacker, Rose said. Instead, Muni officials relied on advice from federal officials and a backup system to restore the network.

"We were ready," Rose said.

Confidential information such as customer or employee credit and bank account numbers was never compromised, he said. The hacker never had access to the computers that control trains, fare gates or ticket machines, he added.

"There was never an impact to transit service or safety systems, and no customer information was breached," Rose said. "We're working with the FBI, trying to identify any suspects."

FBI officials in San Francisco did not return calls for comment.

The attack mainly affected the ability of Muni employees to log on to some computers and to send and receive emails, Rose said.

Silicon Valley venture capitalist Mahendra Ramsinghani, who invests in early-stage technology security companies, lauded Muni for quickly restoring its systems without succumbing to the ransom demand.

"If they were able to pull this off, it speaks to their technical abilities," he said. "There are a lot of agencies that don't have those abilities. There are so many examples where people pay."

Typically, he said, victims don't have a backup as Muni did, leaving them with the choice of taking a long time to rebuild their system or meeting the perpetrator's demands.

Ransomware attacks are an increasingly common type of cybercrime scheme in which hackers send out thousands of random emails, hoping someone will inadvertently invite them inside a company or agency network by clicking on a link.

The FBI estimates that $150 million a year in the U.S. is exchanged through ransomware crime as victims cave to hackers' demands. Worldwide, cybercriminals raked in nearly $325 million last year from individuals and businesses by using ransomware called CryptoWall.

Though ransomware attacks vary in execution -- some are targeted and complex, while others are wide-reaching, such as the one on Muni -- the way they ensnare victims is largely the same, cybersecurity experts said: They lay a trap.

People are conned into clicking on an infected pop-up in their Web browser or an email attachment that opens the malware and allows it entry to the computer system. Outdated software and unprotected systems are particularly vulnerable. Once infected, the system will shut down and alert the user that it has been infected. Hackers then hold the computer hostage until payment has been received.

Hackers usually ask for a specific amount -- a number they believe to be realistic and low enough -- to make it easier for victims to make payments and regain access to files, said Tim Erlin, the director of IT security and risk strategist for the security software company Tripwire.

"These attacks are becoming more common because they work," he said. "The goal of a ransomware attack is to generate money or profit for the criminal involved. If you pay the ransom and get your files back, it creates a climate of trust for the victims, and if the criminal charges a ransom that's relatively low -- less money than it may cost to get your files back through other methods -- that tends to make them successful. It's an economy. Not a legal economy, but an economy nonetheless."

Ransomware hackers will often escalate the threats as time ticks away and payment is not received, in an attempt to capitalize on people's fear of what they might do with the information they have co-opted.

On Monday evening, a Forbes report said the Muni hacker was threatening to release files containing Muni employee and customer information. Rose said the MTA is convinced the hacker is bluffing.

"We've conferred with the Department of Homeland Security and, based on information from our internal team, we don't believe he has access or those files," Rose said.

It's not the first time a public agency has fallen victim to a ransomware attack.

Despite the widely held belief that paying off hackers encourages more attacks, several police departments that fell victim to ransomware last year chose to pay hackers rather than lose access to their files. Over the summer, malware was found in San Antonio's mass transit computer systems, and electronic traffic signs in Austin, Texas, were hacked earlier this year.

"Critical infrastructure, both large and small, remains a target and is susceptible to ransomware," Andrew Storms, a vice president at San Francisco cybersecurity firm New Context, wrote in an email. "IBM has named transportation as a key cybertarget, given that the sector is increasingly relying on computer-based control, and yet security is such that hackers can cause a lot of damage with comparative ease."

Michael Cabanatuan and Marissa Lang are San Francisco Chronicle staff writers. Email:,

(c)2016 the San Francisco Chronicle

Caroline Cournoyer is GOVERNING's senior web editor.
From Our Partners