Mamba Hacks San Francisco Railway System


The coders behind Mamba, also known as HDDCryptor, ransomware has hacked the San Francisco Municipal Railway, aka Muni, system. Around 13% of Muni’s computers have been affected. The incident started on Friday afternoon (the 25th of November) and took place during the weekend, that is, between the 26th to 27th of November, 2016. The system could not issue tickets and the ticket dispensers were out of service, thus, the citizens could ride for free.

The targets of Mamba were the payment, railway scheduling and e-mail systems. The ransom note, written by the developers of the ransomware was available for the customers via the computers displaying route information and time schedules. The note contained the following text:

You Hacked.ALL Data Encrypted.Contact For Key( ,Enter

It is noticeable in the following image, which was made by one of the locals, namely, Colin Heilbut, and posted on his Twitter account:

Interestingly enough, the culprit of the incident, calling himself Andy Saolis, answered to some of the local newspapers claiming that the incident was purely accidental and that he wasn’t aiming at hacking the San Francisco Municipal Railway system. Despite such a claim, Andy Solis also added that the officials of Muni would still need to pay to restore the normal functioning of the system. The ransom payment specified was 73,000 USD or about 100 BTC (BitCoins).

Saolis went on specifying to the Verge newspaper that the infection started from a computer, installed Windows 2000, from where Mamba got distributed to the other computers of the system. As strange as it can possibly be, Andy said he was about to close his e-mail account because he did not believe that the representatives of Muni was going to pay and that he did not want to share no more information regarding the matter. The message he sent to the Verge is the following:

we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!

So far this is all the news concerning the incident. More about Mamba disk-encryptor read here. In the post you will also learn the general knowledge about ransomware threats and how to deal with them.

Sources: and


About the author

 - Main Editor

I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.


Leave a Reply

Your email address will not be published. Required fields are marked *