SFMTA said transit services were not affected by the attack.
But fare machines inside the stations were lit up with “OUT OF SERVICE” messages over the weekend, according to the San Francisco Examiner, which was among the first outlets to report on the incident. And trains kept running — with passengers getting a free ride, the SFGate reported.
SFTMA said in its statement that the situation was contained. Spokesperson Paul Rose told trade publication BankInfoSecurity that the agency "never considered paying the ransom" and had an IT team able to "fully recover" its systems.
Station agent computers displayed the message “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.” on Friday and Saturday, according to the Examiner.
A person in control of the email@example.com email address took credit for the attack and demanded SFMTA to cough up more than $70,000 worth of bitcoins, a type of digital currency, according to the Examiner.
In an emailed response to The Post, the operator of the address did not mention a ransom, however, and said it had not intentionally targeted the transit system.
“We Gain Access Completely Random and Our Virus Working Automatically ! We Don’t Have Targeted Attack to them !," the email read.
The email described the attack as a “proof of concept” and said SFMTA systems were poorly secured.
The person wrote that they would be happy to “advise” SFMTA on how to correct its security problems. But the apparent attacker also said they would release 30 gigabytes of data — including “employees data” and contracts — they claimed to have obtained in the attack if the transit agency did not secure its systems.
Ransomware attacks have been on the rise this year.
In April, the FBI warned that ransomware infections had hit hospitals, school districts and even local law enforcement agencies. The FBI advised businesses to regularly back up their data so it can be restored if they’re attacked.
One reason this type of attack remains popular is that, well, “it tends to work,” according to Tod Beardsley, senior security research manager at cybersecurity firm Rapid7.
“Regular backup and recovery systems have a tendency to never be tested in non-crises, so oftentimes, the victims are left with two unappealing solutions, they can either attempt to restore from untested backups, or simply pay the ransom for the decryption keys,” he explained.
This post has been updated.