An anonymous security researcher reportedly breached the attacker’s email account.
The hacker claiming responsibility for last week’s ransomware attack on the San Francisco Municipal Transportation Agency has been hacked.
According to security researcher Brian Krebs, the criminal—someone calling themselves “Andy Saolis”—was the target of a breach that revealed details about other hacks allegedly carried out by Saolis.
The Friday hack meant free rides for all that night and into Saturday, as payment kiosks were inaccessible.
Saolis later claimed responsibility and fielded questions from the media via email. On Monday, a security analyst accessed that email account by guessing the answer to Saolis’ secret question and resetting the password, the researcher, who chose to remain anonymous, told Krebs.
Based on messages obtained from the inbox and published by Krebs, Saolis on Friday contacted SFMTA infrastructure manager Sean Cunningham and demanded 100 bitcoin ($73,000) in exchange for re-entry into SFMTA’s encrypted servers.
“The SFMTA has never considered paying the ransom,” an agency spokesman told PCMag. “We have an information technology team in place that can restore our systems and that is what they are doing.”
Saolis, however, has successfully extorted at least $140,000 from victims since August, Krebs reports.
Last week’s SFMTA outage—which disrupted about 900 office computers—was not a targeted strike; instead, it appears the infection spread through a SFTMA employee with “admin level” access, whose PC was used to download a software keycode generator carrying the malicious code.
“It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety !” Saolis wrote in a message to PCMag on Monday, apologizing for their broken English. “If some Hacker Try to Hack Your Transportation Infrastructure Target-Based , it’s Have More Impact!”
Saolis did not immediately respond to another request for comment.
Despite employee concerns about missing a paycheck, the San Francisco MUNI confirmed that there will be no impact to payroll services. Meanwhile, customer payment systems were not hacked, and no data was accessed during the breach.