On Friday, the San Francisco Municipal Transportation Agency was hit by an attack, and the ransomware attack caused some problems including on the fare station terminals whereby they carried the message which said, You Are Hacked, ALL Data Encrypted. However, it turns out that the person who was responsible for the attack was himself hacked during the same weekend. The hacking incident on the hacker revealed some interesting details which might reveal some of his localisation and the identity.
The hacker who was responsible for the attack claimed that he had managed to compromise some thousands of computers which are at SFMTA, and managed to scramble some of the files which were there and with strong encryption. The hacker also claimed that only his digital key could only unlock the ransomware and that particular key was said to be worth 100 Bitcoins, which is about USD$73,000.
However, popular security research website, krebsonsecurity.com noted that they had received a message from one other hacker who claimed that he had managed to hack into the former hacker’s account and had managed to get some details as a result. Based on the messages which were shown from the hacker who hacked the SFMTA, it revealed that on Friday he had sent messages to the SMFTA manager and in it there was a demand for 100 Bitcoins for them to be able to get the encryption key.
Some other emails which were in the inbox of the hacker revealed that he had also been paid $45,000 value in Bitcoins on Nov 20 from one US based manufacturing firm. The attacker also seems to be switching Bitcoin wallets after each passing day or week, and it seems the idea is for security reasons as explained in one of the emails he sent to one of his victims who was hesitating to pay the ransom at first.
After review of all the Bitcoin wallets that were found in the email address of the hacker showed that the hacker has managed to extort money amounting to $140,000 in Bitcoin value from victim organisations.
Based on the information gotten from the hack by the other hacker, who said he wanted to stay anonymous, showed that the attacker might have been able to use an attack server which he used for staging attacks on more servers and compromising them. The server also had some new tools which could infect some new victims and help find them in the process. According to a security researcher at Hold Security Inc., Alex Holden, said that it seemed from the revelations that the attacker was using a large number of tools and enabled them to scan for more portions of the Internet and also get some several targets which could show vulnerabilities.