SF Muni Hacker Gets Hacked... Twice

There is no justice more poetic than that of a hacker who -- in the sweaty-palmed throes of hacking -- gets hacked.

Unless he gets hacked a second time, that is.

Such was the case for mysterious figure behind the alias Andy Saolis, the person (or persons) behind this past weekend's hack of the San Francisco Municipal Transit Agency rail system. As he held the city for ransom, two other parties may have hacked his email account and reset his password after correctly guessing the security question behind the account, according to Krebs on Security and Forbes.

One of the vigilante hackers is an anonymous source that contacted Forbes through the email that was used to hack SF Muni's systems. Forbes reports that its source broke through the account and notified the FBI. "This guy has been doing ransomware since August," the source told Forbes. "I reset the password within three tries of the answer."

The other vigilante hacker contacted security reporter Brian Krebs and identified themselves as a security researcher, which Krebs then verified after consulting other security experts. As one of them, Alex Holden of Hold Security, Inc. put it: “It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities.”

Per their findings, SF Muni was a departure for this extortionist, who previously had targeted private companies. Targeting a public transit system is probably what got them hacked.

The saga began the Friday after Thanksgiving, when Saolis broke into SF Muni's computer system using ransomware and held the rail system in a stranglehold over the weekend for a ransom of 100 bitcoin, or about $73,000. Customers were allowed to ride the rails for free for much of the weekend as ticketing kiosks were left inoperable, with screens at terminals reportedly reading "you hacked, ALL data encrypted."

Overall, the hack affected 30 gigabytes of customer and employee data across more than 2,000 computers, about 25 percent of the Muni's entire network. Ticket machines were working again on Sunday morning.

SF Muni confirmed in a blog post that it would not pay any ransom for the breach. "The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing."

In the meantime, the FBI and the Department of Homeland Security are also on the case.

H/T: Krebs on Security; Forbes

Eric Vilas-Boas is a writer and editor at Thrillist. Follow him @e_vb_.