http://hoodline.com/2016/11/hackers-hold-sfmta-s-computer-network-hostage-for-73k-ransom

Muni passengers were treated to free rides for much of the weekend after a cyber attack on Muni's computer network Friday afternoon left ticketing kiosks inoperable. But the San Francisco Municipal Transit Agency looks poised to lose more than a weekend of fares, Hoodline has learned.

According to the pseudonymous hacker, the agency's computers are being held ransom for more than $73,000 dollars with only one day left to pay—and nearly 25 percent of Muni's network has been compromised.

The severity of the attack still remains unknown to the public. However, documents released by one of the hackers suggest many vital agency functions have been compromised, including payroll, email servers, Quickbooks, NextBus operations, various MySQL database servers, staff training and personal computers for hundreds of employees.

In all, the hackers claim to control 2,112 of SFMTA's 8,656 computer network.

In a statement released by agency spokesperson Paul Rose, “The incident remains under investigation, so it wouldn't be appropriate to provide any additional details at this point.”

The attack, first reported by the Examiner on Saturday (link), left kiosks across Muni's downtown stations with a message reading, “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”

Unable to process fares, Muni left turnstiles open for passengers to ride freely.Muni's computers have been hijacked using the HDDCryptor ransomware, which targets Windows machines. Also known as Mamba, the ransomware encrypts hard drives and requires a password to unlock, leaving Muni without access.

Reached at the provided email, the hackers, calling themselves “Andy Saolis,” demanded 100 Bitcoin—the equivalent of more than $73,000—from San Francisco's transit agency:

if You are Responsible in MUNI-RAILWAY !
All Your Computer’s/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!
We have 2000 Decryption Key !
Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server's HDD!!
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it's Fast way!
The hackers followed up, writing, “say to company owner we are waiting one more day for deal and after it this email closing for security reason!” In another email, they declared, “we only encrypt 2000 important server and PC , another systems don't point to us !”

Andy Saolis—a pseudonym commonly used in HDDCryptor ransom attacks—also provided a list of all 2,112 machines under their control, as well as a Bitcoin wallet to which the ransom could be paid. So far, no transfer have been posted to that wallet, but it is likely the hackers provided different wallets to each email contact to avoid being easily tracked.

SFMTA's backup servers did not appear to be among the thousands of impacted machines, which could allow the agency to avoid paying the ransom and restore their computers from previous copies of their system data. However, depending on how old the backups are, they still could risk losing critical information.