On Saturday, November 26, Muni terminal screens displayed the words, "you hacked, ALL data encrypted," followed by an email address to contact. Saolis was requesting over $73,000 in bitcoin in return for not exposing stolen data. The San Francisco Municipal Transportation Authority (SFMTA) denies that media was accessed from its servers.
Rather than shut down the transit system, Muni left the turnstiles open and kept the service running. Fare kiosks had messages saying "Out Of Service" and handwritten "Free Muni" notes taped to them. The SFTMA says the fare system wasn't hacked, but was shut down as a precaution. Hoodline notes that Muni stood to lose about $559,000 in fares per day.
The plot thickens, though, as a "security researcher" subsequently hacked the account the first hacker provided for ransom instructions. This white hat hacker who hacked Saolis tells Krebs on Security that they guessed the answer to the email account's security question to gather information, including possible clues to their identity. Looking at accounts and previous bitcoin wallets Saolis had used shows that they had scored up to $140,000 in previous ransomware attacks, mostly perpetrated on construction companies and consulting firms using specific, vulnerable software.
While email addresses and a phone number used by Andy Saolis point to Russia, notes uncovered in the Krebs investigation used Farsi or Persian, which indicate Iran as a possible locale for the hacker, as well as the use of another alias, Alireza and Ali Reza, variants on a common name in the Middle East.
Anyway, fare machines were back online on Sunday. A statement from the SFMTA on Monday says, "Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next two days."
If you're looking to glean some sort of lesson from this, Krebs on Security suggest backing up data offline, and never using real answers for security questions.