The hackers behind the ransomware attack against Muni's computer network this past weekend are continuing to escalate their threats against San Francisco's transportation agency. Beyond controlling 2,112 of SFMTA computers, the hackers now claim to have stolen 30 gigabytes of sensitive departmental data and promise to release it if their demands are not met.

Yesterday, Hoodline learned the hackers, going by the pseudonym “Andy Saolis,” were demanding a 100 Bitcoin ($73,000) ransom to return control of nearly 25 percent Muni's computer network.

The deadline for sending ransom payment passed early Monday morning—a point at which the hackers had previously claimed they would close their email account, leaving the department without a method to purchase the password to regain access to their network.

Instead, as the deadline passed, Saolis sent a canned statement to several media outlets, including Motherboard, the Examiner and Forbes, with new claims that they extracted information from department computers before encrypting them and locking Muni out.

“I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!,” Saolis wrote in an email sent to the media.

The hackers, who acknowledged they do not reside in the United States, did not specify what they meant by “LLD Plans.”

According to a list, obtained by Hoodline, of Muni's machines currently encrypted by the hackers, Saolis likely has control of the department's payroll service, email servers, Quickbooks, several MySQL database servers, and personal computers for hundreds of employees.

It remains unclear if the hackers truly obtained departmental data or are just using the threat to attempt to pressure SFMTA into paying. Department spokesperson Paul Rose told the Examiner today, “Personal information of Muni customers were not compromised as part of this incident.”

The hackers also refused to provide any proof that they possessed stolen data to media outlets.

“We proof our capability before ! we don't want leak really but if they don't pay attention , it's will be our plan,” Saolis emailed Motherboard.

"We are working with the FBI to investigate and to help identify a suspect," SFMTA's Paul Rose told Hoodline this afternoon. "We are also working with the Department of Homeland Security."



With the new threat of releasing Muni data to the public being made, the hackers extended their original deadline to this Friday. Muni officials have reiterated their claim that they will not pay the ransom.