The hacker claiming responsibility for last week’s ransomware attack on the San Francisco Municipal Transportation Agency has been hacked.
According to security researcher Brian Krebs, the criminal—someone calling themselves “Andy Saolis”—was the target of a breach that revealed details about other hacks allegedly carried out by Saolis.
The Friday hack meant free rides for all that night and into Saturday, as payment kiosks were inaccessible. Saolis later claimed responsibility and fielded questions from the media via email. On Monday, a security analyst accessed that email account by guessing the answer to Saolis’ secret question and resetting the password, the researcher, who chose to remain anonymous, told Krebs.
Based on messages obtained from the inbox and published by Krebs, Saolis on Friday contacted SFMTA infrastructure manager Sean Cunningham and demanded 100 bitcoin ($73,000) in exchange for re-entry into SFMTA’s encrypted servers.
Saolis, however, has successfully extorted at least $140,000 from victims since August, Krebs reports.
Last week’s SFMTA outage—which disrupted about 900 office computers—was not a targeted strike; instead, it appears the infection spread through a SFTMA employee with “admin level” access, whose PC was used to download a software keycode generator carrying the malicious code.
Despite employee concerns about missing a paycheck, the San Francisco MUNI confirmed that there will be no impact to payroll services. Meanwhile, customer payment systems were not hacked, and no data was accessed during the breach.
