Hacker Who Hacked SF Rail System for Ransom Hacked by Another Hacker

On Friday 25th, the San Francisco Municipal Railway (MUNI) had their computer systems hacked and locked by a hacker who ended up demanding 100 bitcoins (USD 73,000) to unlock the whole system. Apparently, MUNI told the hacker to buzz off and restored the system after a while.

Now, a security researcher Brian Krebs who was once in the news for having his site DDoSed with 665 Gbps attack is reporting that another security researcher has contacted him revealing that the San Francisco Rail System hacker himself has been hacked. Yes, the security researcher told Krebs that he has hacked the email address cryptom27@yandex.com which was given on the screens of MUNI fair system in order for them to contact the hacker and pay the ransom.

san-francisco-railway-fare-system-hacked-for-100-bitcoin-ransom-2
Screengrab of email address left by the hacker on MUNI’s computer system.

How did it happen?

The security researcher who wants to keep his identity hidden told Krebs that he hacked the email address by guessing the answer to its secret question. The hacked email was backed with another email address (cryptom2016@yandex.com) which was also protected with the same secret question and answer as the cryptom27 email address.

Upon taking over both emails the researcher shared a number of conversations and logs with Krebs that gives an indication of the hacker’s whereabouts and previous targets. For example, IP address of more than 300 logins shows the hacker was singing in from Iran, the account owner name was mentioned as Ali Reza, a common name in Iran while a phone number linked to another account belonging to a hosting company in Russia.

A habitual extortionist:

The inbox of MUNI hacker revealed much more than what one would expect, for instance, the favorite target of the attacks were the construction industry. After going through his emails it was clear that he has been earning some big bucks through ransom scams such as China Construction of America Inc., was forced to pay 24 Bitcoins ($17,500) on Nov. 27 Sunday, in order to unlock about 60 of their servers infected with Mamba ransomware.

Other targets that were infected by this attack include CDM Smith Inc. in Boston, King of Prussia, Pa, based Irwin & Leighton, the Rudolph Libbe Group, Indianapolis-based Skillman and Libbe Group, a construction consulting firm. It is however not confirmed if all these firms were forced to pay ransom or not – or if they have got their files back or not.

We recommend our readers to go through Kreb’s blog post for a further analysis of the hacked inbox.

Pay ransom or not? = NOT

The FBI tells victims to pay the ransom and get their locked data back, however, it is a wrong practice which only helps hackers to exploit innocent users. In July this year, IT security giants like Kaspersky and Intel with the assistance of Dutch Police and Europol developed an anti-ransomware portal called ‘No More Ransom’ to assist victims of ransomware scams for absolutely free. Since its launch the portal has saved more than 2,500 ransomware victims and saved 1.3 million in Euros.

So don’t feed the cyber criminals and contact the No More Ransom campaign to free your system from these nasty ransomware infections. As far as the email hacking of MUNI hacker is concerned it is indeed a massive blow for the hacker himself which will help authorities to track patrons of cybercriminals and how they infect users and high-profile firms worldwide.

Image ViaPixaBay/Bykst

Ryan De Souza

Ryan is a London-based member of the HackRead's Editorial team. A graduate of Maths and physics with a passion for geopolitics and human rights. Ryan places integrity at the pinnacle of successful journalism and believes this is somewhat lacking in traditional media. Ryan is an educator who balances his time between family, social activism and humanitarian causes and his vice is Football and cars.