San Francisco Transport System Ransomware Attack Reported

A ransomware attack on the San Francisco Transport System in November 2016 resulted in the encryption of computers used by the city’s light rail system. The criminals responsible for the attack demanded ransom of 100 Bitcoin (approxiately $70,000) for the key to unlock the encryption.

The San Francisco Municipal Transportation Agency (SFMTA) stated that although the attack put its computer systems out of action, transport remained unaffected. Fare gates were opened as a precaution in order to minimize the effects on customers.

Although this meant that passengers were effectively permitted to travel for free during the attack, the data was restored relatively quickly without the ransom being paid. The computer system was soon brought back online.

It appears that the attackers themselves have claimed that the infection involved in the San Francisco Transport System ransomware attack did not result from a targeted attack. The systems used to spread the ransomware act automatically. The actors themselves only become directly involved after installation of the ransomware.

Forbes reported that messages from the attackers were visible on the ticketing systems for a short time before the computers were shut down. According to the attackers, it was what is known as a “spray and pray” attack. The installation of the ransomware was possible due to SFMTA’s weak security controls. The message from the attackers stated that ‘SFMTA network was Very Open and 2000 Server/PC infected by software!’

The poor level of English might indicate that it is not the native language of the attackers and that they are therefore of foreign origin. It is believed that the attack did not orignate in the USA.

Given that the investigation has not yet concluded, SFMTA has declined to release any further details about the incident. That said, a second victim of a ransomware attack carried out by the same group would appear to suggest that the ransomware variant employed was HDDCryptor. HDDCryptor is a particularly dangerous type of ransomware which can encrypt files, disable printers and disable serial ports via Server Message Block (SMB). Moreover, HDDCryptor ransomware locks the computer’s hard drive and the networked drives.

The chances of recovering from an attack without succumbing to ransom demands is almost completely reliant on an organization’s ability to recover the encrypted files from viable backups. If no such backup exists, there is little choice but to pay the ransom.

Ordinarily, the ransom amount demanded for each infected device is between approximately $300 and $700. However, as was witnessed in this attack, attackers who successfully encrypt important files can effectively name their price.

Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at