The hacker responsible for a major ransomware attack on San Francisco’s “Muni” rail network has earned over $100,000 from multiple attacks over the past few months, it emerged after he himself was hacked.
An unnamed security researcher managed to crack the email account posted by the attacker in his message to the San Francisco Municipal Transportation Agency (SFMTA) on Friday, according to Krebs On Security.
Guessing the secret question apparently allowed the white hat to reset the account password.
That account revealed a ransom message sent on Friday to an SFMTA infrastructure manager and details from more than a dozen Bitcoin wallets, suggesting he has managed to extort over $140,000 from companies since August.
It also appears as if his main targets were US manufacturing and construction companies, the majority of which paid a ransom of around one Bitcoin ($730) per server.
The attacker used open source tools to scan for internet-connected machines vulnerable to exploit, with Oracle servers, including Primavera project portfolio management software, particularly favored.
Some companies would even pay up extra Bitcoins in return for information on how they were hacked, the report claimed.
Over 300 addresses linked to an attack server used by the black hat appear to be based in Iran, although a contact number is for a Russian mobile.
It appears as if the hacker will be out of luck this time, as the SFMTA has claimed it will not be paying the ransom.
A lengthy note on Monday had the following:
“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.
Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”
However, the outage over the weekend – which affected “900 office computers” – and the resulting lost revenue should be a reminder of the need for improved layered security at gateway, endpoint, network and server to combat the threat of ransomware.