Stolen e-mails from public transport hacker San Francisco provide insight into working methods

Investigative journalist Brian Krebs reports that he has further information about the criminal who recently infected the systems of a transportation company in San Francisco with ransomware. The information comes from someone who hacked into the criminal’s email accounts.

The anonymous person who approached Krebs with the information claims he was able to hack into the criminal’s Yandex email by guessing the answer to his security questions. This method also gave him access to a second account, which was linked to the first. Information in the accounts shows that the criminal sent a message to the Sfmta, a transportation company in San Francisco on Friday evening. In it, he reported that the company’s systems were encrypted and that decryption was possible for a price of 100 bitcoins, about 68,500 euros. Krebs reports that the company has not paid the ransom and has used backups.

The content of the e-mails provides insight into the criminal’s working method. Correspondence with other victims shows, for example, that the criminal used different bitcoin addresses to receive payments. In total, about $140,000 in bitcoins has been transferred in recent months. That equates to approximately 132,000 euros. According to Krebs, this is still a low estimate, because his source managed to crack a third email address. This address was linked to a large amount of search results asking for help with ransomware infections.

As previously assumed, it turned out that the attack on the transport company was not targeted. The email accounts contained credentials for servers running software to find certain vulnerabilities in devices connected to the Internet. The files on the servers also provided information about the possible location of the hacker. For example, a large part of the login attempts took place from Iran. It also appeared that the hacker normally targets construction companies and manufacturers in the US, which he charges one bitcoin per infected server.

On Monday, it turned out that the infection with ransomware caused the Sfmta computer systems, including ticket machines, to no longer function. The transport company then took the decision to give travelers free access to the metro.