San Francisco Municipal Railway fare systems were back up and running but crews were still working Monday to recover from an attack by hackers that resulted in many Muni riders getting free rides on Friday and Saturday.
The attack using ransomware software occurred Friday, when system computers at all underground Muni stations began to display the message "You hacked, ALL data encrypted." The message included an email contact.
All fare machines also featured an "Out of Service" message during the attack, but those machines returned to operational status by Sunday.
The hackers have reportedly demanded a ransom to unencrypt affected computers and threatened to release agency data.
NBC Bay Area contacted the alleged hacker, who was calling himself "Andy." The hacker replied "Yes! I can hack them again and again! We have many backdoor there! So they must decide to show off or try to make safe network with our help!!"
Muni spokesman Paul Rose said the agency did not pay the demanded $73,000 ransom and had restored around 75 percent of the affected computers by Sunday. He hoped to have that to 100 percent by the end of Monday, he said.
The hacker confirmed that they had not been paid a ransom and followed that with a threat of more hacks.
"No contact officially! I think they don't want deal but someone must responsible for ppl safety in company like that! So we will try to force them by hacking again and again to make ppl safe."
The hacker didn’t say how paying a ransom would make people safe.
Rose emphasized that transit service and system safety were never compromised during the attack.
In addition, the agency has been working with the Department of Homeland Security and does not believe the hackers have access to any critical data, including customer or employee personal data.
"We never even considered paying the ransom nor do we intend to do so," Rose said. "Based on reports I’ve seen, they are sending out information to a lot of different agencies and organizations, and a user in our agency clicked on a link."
Investigators do not think the incident was caused by a targeted hacking attack, but rather by someone within the SFMTA system unwittingly clicking on a link in an email or on a website that downloaded the ransomware software.
The attack affected internal computer systems including email and part of the payroll system, but "never breached our firewall," Rose said.
Muni officials are still working to calculate the full cost of the incident in terms of lost fares and repair costs, and are working with the FBI to help identify the hackers.