SAN FRANCISCO — A ransomware attack took ticket machines for San Francisco's light rail transit system offline all day Saturday during one of the busiest shopping weekends of the year, but rather than shutting down, the agency decided instead to let users ride for free.
The San Francisco Municipal Transportation Agency, known as Muni, reported that agents' computer screens displayed the message "You Hacked, ALL Data Encrypted" beginning Friday night.
The attackers demanded 100 Bitcoins, worth about $73,000, the San Francisco Examiner reported. The agency did not respond to questions about whether the amount was paid.
The cybercrime disrupted Muni's internal computer system and email but did not affect the actual running of the transit agency, which runs buses, light rail, historic street cars and the city's famed cable cars.
The system provides 735,000 trips per day but the free rides were only on the light rail portion when patrons were boarding in the city's subway stops, which must be accessed by stepping through fare gates.
The ticket machines at those stops instead carred pink “Out of Service” messages, along with hand-written signs saying “Metro free.”'
“The fare gates were closed on Friday and Saturday as a precaution, to minimize any impact to our customers. They were operational again on Sunday,” said Muni spokesman Paul Rose.
Neither customer privacy nor transaction information were compromised, Muni said in a release.
"Encrypting files and asking for ransom has been a popular method of attack in recent years. Earlier this year, the Melrose Massachusetts Police department actually paid the ransom to unlock their files,” said Tim Erlin, senior director of IT security and risk strategy for the security firm Tripwire.
The majority of ransomware infections do not go public because they are often small in size and do not have a large impact, said Jason Rebholz, director of professional services at The Crypsis Group, a security firm.
The San Francisco incident became public because touched a large number of systems responsible for daily operations. "These ransomware events, while more rare than typical ransomware infections, typically result in public notification due to the widespread impact," Rebholz said.