The San Francisco rail system was “hijacked” last Saturday by a hacker who demanded ransom in exchange for not releasing important data of the agency. Now, the tables have turned.
After holding the Muni hostage, the hacker is now the one victimized by hacking.
The lone hacker demanded 100 Bitcoins, equivalent to $73,000, to be paid by first contacting a certain email address. The hacker told the agency to “Contact For Descryption Key ([email protected])”, a message posted all over the computer terminals across Muni stations. It proved to be his undoing.
Brian Krebs of KebsOnSecurity announced that a security researcher, who will remain anonymous, was able to hack the Muni hacker. The unnamed researcher figured out the answer to the security question of the Yandex account. The researcher reset the passwords of the said account and that of [email protected] which had the same security question protecting it.
The data gathered from the hackers account revealed that the MUNI attack as not his or her first. The hacker, in fact, already has $140,000 worth in their Bitcoin account presumably gathered through extortion. According to the hackers emails, he or she was successful in extorting $45,000 from a manufacturing company based in the United States.
“Emails from the attacker’s inbox indicate some victims managed to negotiate a lesser ransom. China Construction of America, Inc., for example, paid 24 Bitcoins on Sunday, Nov. 27 to decrypt some 60 servers infected with the same ransomware – after successfully haggling the attacker down from his original demand of 40 Bitcoins,” Krebs said.
“Other construction firms apparently infected by ransomware attacks from this criminal include King of Prussia, Pa. Based Irwin & Leighton, CDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe group, a construction firm based in Walbridge, Ohio,” he added.
Krebs thinks there are other victims by this particular hacker since there were other email addresses attributed to the individual. He added that the criminal may be from Iran.
Krebs advises companies to create data backups frequently to avoid being hijacked by such acts.
Muni was forced to let passengers ride for free while the company was being held hostage by the hacker.