San Francisco Municipal Transport Organization (MUNI) was violated and contaminated with ransomware last weekend by a hacker calling himself Andy Saolis.
Because of the attack, all passengers could make free metro routes, and the hacker asked 100 Bitcoin ($ 73.000) ransom to remove the malicious software, threatening to leak 30 GB files containing customer information, contracts and employees.
And yet, it seems that Andy Saolis was not as careful as you would expect from a hacker. A security researcher has managed to break his e-mail address and find out what will be useful during the investigation.
The blog Krebs On Security reports that the security researcher who wanted to maintain his anonymity was able to access the hacker's email address, just guessing the answer to a secret question he was using. With a password reset it was able to take full control of the account.
A message that existed in the envoy file shows that the hacker actually contacted MUNI officials at 25 in November to report the violation and ask for a ransom.
The message said:
"If you are in charge of MUNI-RAILWAY! All your Servers / Server in the MUNI-RAILWAY domain were encrypted with AES 2048Bit! We have 2000 decryption keys! Send 100BTC to my Bitcoin Wallet, and then we will send you the decryption key for all your disks and the server !! "
The messages in the hacker's mailbox showed that this hack was not the first. From other violations and attacks with ransomware it appears that the hacker had received 140.000 dollars in Bitcoin.
It goes without saying that the account can be used by researchers to learn the real identity of Andy Saolis, and the KrebsOnSecurity blog notes that there are some emails from hosting providers. The passwords for some of the hacker's hosting accounts were saved in plain text, so access to these servers is also possible.
Meanwhile, MUNI claims it has removed the malware from its systems and that its data is safe, despite Andy Saolis's claims that he was in the hands of 30 GB files.