The San Francisco Municipal Transportation Agency (SFMTA) appears to have been taken over by a form of malware called “ransomware,” with a hacker calling himself “Andy Saolis” demanding $73,000 in bitcoin, the San Francisco Examiner reports. On Friday and Saturday, computers in station agents’ booths across the San Francisco Municipal Transportation Agency displayed “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” The Examiner contacted the listed email and established email contact with the individual calling himself Saolis, who wrote, “We do this for money, nothing else! I hope it’s help to company to make secure IT before we coming.”

Andy Saolis is a pseudonym commonly used in this kind of ransomeware attack, involving HDDCryptor ransomware that targets Windows machines. Ransomware causes computers and key data to be encrypted, requiring a password in the possession of the hacker. An FBI statement in April said these kinds of attacks are increasing against public agencies. “The inability to access the important data these kinds of organizations keep can be catastrophic,” the FBI wrote, in terms of “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.”

Rather than actually “hacking” the computer system, the Examiner said the perpetrator probably “phished” for a staffer who inadvertently downloaded the malware either by targeted emails or by other means, an increasingly common way to gain entry to computer systems. Such an email will look like it comes from a trusted source. Individuals involved in phishing scams may spend a lot of time gathering information about staff members, including accessing their social media profiles.

Some transit computers are now operational, so it unclear how much leverage the perpetrator of the scheme may have, the Examiner said. SFMTA employees told the Examiner that their payment system was inaccessible over the weekend and they feared the personal data of nearly 6,000 employees might be at risk. Another source, Hoodline, also contacted the alleged attacker Saolis. Hoodline said that attackers are still in control of more than 2,000 of SFMTA’s 8,656 computers and that documents released by one of the hackers suggest many vital agency functions have been compromised, including payroll, email servers, Quickbooks, NextBus operations, and personal computers for hundreds of employees.

Saolis told tech media outlet The Verge that the ransom period would be closed off on Monday. Mike Grover, an IT manager at a San Francisco tech company who researches tech security told the Examiner that when the ransom period closed, machines would be permanently encrypted. READ MORE