Muni Ransomware Attacker is Hacked
The hacker responsible for a major ransomware attack on San Francisco’s “Muni” rail network has earned over $100,000 from multiple attacks over the past few months, it emerged after he himself was hacked.
An unnamed security researcher managed to crack the email account posted by the attacker in his message to the San Francisco Municipal Transportation Agency (SFMTA) on Friday, according to Krebs On Security.
Guessing the secret question apparently allowed the white hat to reset the account password.
That account revealed a ransom message sent on Friday to an SFMTA infrastructure manager and details from more than a dozen Bitcoin wallets, suggesting he has managed to extort over $140,000 from companies since August.
It also appears as if his main targets were US manufacturing and construction companies, the majority of which paid a ransom of around one Bitcoin ($730) per server.
The attacker used open source tools to scan for internet-connected machines vulnerable to exploit, with Oracle servers, including Primavera project portfolio management software, particularly favored.
Some companies would even pay up extra Bitcoins in return for information on how they were hacked, the report claimed.
Over 300 addresses linked to an attack server used by the black hat appear to be based in Iran, although a contact number is for a Russian mobile.
It appears as if the hacker will be out of luck this time, as the SFMTA has claimed it will not be paying the ransom.
A lengthy note on Monday had the following:
“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.
Read More. Muni Hacker is Hacked
The hacker responsible for a major ransomware attack on San Francisco’s “Muni” rail network has earned over $100,000 from multiple attacks over the past few months, it emerged after he himself was hacked.
An unnamed security researcher managed to crack the email account posted by the attacker in his message to the San Francisco Municipal Transportation Agency (SFMTA) on Friday, according to Krebs On Security.
Guessing the secret question apparently allowed the white hat to reset the account password.
That account revealed a ransom message sent on Friday to an SFMTA infrastructure manager and details from more than a dozen Bitcoin wallets, suggesting he has managed to extort over $140,000 from companies since August.
It also appears as if his main targets were US manufacturing and construction companies, the majority of which paid a ransom of around one Bitcoin ($730) per server.
The attacker used open source tools to scan for internet-connected machines vulnerable to exploit, with Oracle servers, including Primavera project portfolio management software, particularly favored.
Some companies would even pay up extra Bitcoins in return for information on how they were hacked, the report claimed.
Over 300 addresses linked to an attack server used by the black hat appear to be based in Iran, although a contact number is for a Russian mobile.
It appears as if the hacker will be out of luck this time, as the SFMTA has claimed it will not be paying the ransom.
A lengthy note on Monday had the following:
“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.
Read More. Muni Hacker is Hacked
