Skip to content ↓ | Skip to navigation ↓

A security researcher hacked the actor who’s responsible for a ransomware attack against the San Francisco Municipal Transport Authority (SFMTA).

A variant of HDDCryptor ransomware is believed to have struck the SFMTA on 25 November and encrypted as many as 2000 systems at the public transport agency.

While the city’s bus and train network continued to operate smoothly, SFMTA had no choice but to let its passengers ride for free while it worked to remove the ransomware.

Hacked message

Kristen Holland, a spokesperson at the transport agency, said on Monday that SFMTA never considered paying the ransom:

“We have an information technology team in place that can restore our systems and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next two days.”

At the time of the attack, we knew little about the attacker other than the fact that they sought to use the email address to extort 100 Bitcoins (approximately 73,000 USD) from the SFMTA.

But thanks to a security researcher, we know now a little more about the miscreant behind this attack.

Information security investigative reporter Brian Krebs explains:

“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password. A screen shot of the user profile page for shows that it was tied to a backup email address,, which also was protected by the same secret question and answer.”

Those accounts contained copies of the ransom message that the attacker sent to the SFMTA. In addition, a message sent to included the credentials for a hosting provider.

The security researcher retrieved multiple files from that server. With the help of others in the field, Krebs analyzed that data and confirmed what many of us had been thinking. The bad actor didn’t target the SFMTA specifically. Instead they either conducted a malicious email campaign or used their attack server, which comes equipped with tools that can actively scan systems for security holes.

In some cases, the attacker might have even collected an additional fee for helping their victims to patch the vulnerabilities. Per Krebs’s investigation:

“According to a review of email messages from the Cryptom27 accounts shared by my source, the attacker routinely offered to help victims secure their systems from other hackers for a small number of extra Bitcoins. In one case, a victim that had just forked over a 20 Bitcoin ransom seemed all too eager to pay more for tips on how to plug the security holes that got him hacked. In return, the hacker pasted a link to a Web server, and urged the victim to install a critical security patch for the company’s Java applications.”

Overall, the actor is believed to have extorted 140,000 USD from victims using ransomware since August 2016. And as some files suggest the attacker is based in Iran, they can continue to launch their campaigns against U.S. companies with little fear of extradition.

Given the evolving threat of ransomware, it’s important that organizations implement a data backup strategy and follow some additional ransomware prevention tips.

They can also learn more about ransomware in general here.