Elizabeth Weise

USATODAY

SAN FRANCISCO — A ransomware attack took ticket machines for San Francisco's light rail transit system offline all day Saturday during one of the busiest shopping weekends of the year, but rather than shutting down, the agency decided instead to let users ride for free. By Sunday the system was once again running normally.

"We never considered paying the ransom. We have an IT team on staff who can fully restore all systems," said San Francisco Municipal Transportation Agency spokesman Paul Rose.

SFMTA, known as Muni, reported that agents' computer screens displayed the message "You Hacked, ALL Data Encrypted" beginning Friday night.

The attackers demanded 100 Bitcoins, worth about $73,000, the San Francisco Examiner reported.

The cybercrime disrupted Muni's internal computer system and email but did not affect the actual running of the transit agency, which runs buses, light rail, historic street cars and the city's famed cable cars.

The system provides 735,000 trips per day but the free rides were only on the light rail portion when patrons were boarding in the city's subway stops, which must be accessed by stepping through fare gates.

The ticket machines at those stops instead carred pink “Out of Service” messages, along with hand-written signs saying “Metro free.”

“The fare gates were closed on Friday and Saturday as a precaution, to minimize any impact to our customers. They were operational again on Sunday,” said Rose.

Neither customer privacy nor transaction information were compromised, Muni said in a release.

4.1% of Americans have been hit with ransomware

"Encrypting files and asking for ransom has been a popular method of attack in recent years. Earlier this year, the Melrose Massachusetts Police department actually paid the ransom to unlock their files,” said Tim Erlin, senior director of IT security and risk strategy for the security firm Tripwire.

The majority of ransomware infections do not go public because they are often small in size and do not have a large impact, said Jason Rebholz, director of professional services at The Crypsis Group, a security firm.

The San Francisco incident became public because it touched a large number of systems responsible for daily operations. "These ransomware events, while more rare than typical ransomware infections, typically result in public notification due to the widespread impact," Rebholz said.

It’s unlikely the transit system was specifically chosen, as a target as ransomware is generally a very opportunistic and financially motivated attack method, said Kevin Albano, global lead for threat intelligence with IBM X-Force.

“Recently, these campaigns have started to become a little less indiscriminate, casting a wider net to see what they’re able to compromise. Once they infect their targets, the hackers can always adjust the price if a higher value target is caught in their net,” he said.