In what could be actual evidence that karma does exist, the individual responsible for infecting the San Francisco Municipal Transportation Agency (SFMTA) with ransomware has been hacked.
Krebs on Security reports that someone was able to breach the email account of the Muni hacker, who calls himself Andy Saolis, using the address left in his ransom note.
Following the Friday’s attack, computer screens at stations were disabled and displayed the message: "You Hacked, ALL Data Encrypted. Contact For Key(email@example.com)ID:681 , Enter." Saolis demanded 100 Bitcoins (around $73,000) in exchange for the decryption key.
An anonymous security researcher contacted Krebs on Monday to say he had hacked Saolis' Yandex mailbox after reading about the incident in an article.
The avenging hacker managed to guess Saolis’ security question protecting his account, before resetting the password and locking it down. He also locked down a secondary address, firstname.lastname@example.org, which was protected with the same security question and answer.
While the SFMTA never paid the ransom, it seems Saolis has extorted plenty of money in the past. His emails revealed that a US manufacturing firm paid him 63 bitcoins (approximately $45,000) to unlock its encrypted files. And a review of more than a dozen Bitcoin wallets indicated victims have handed over $140,000 worth of Bitcoins since August.
It was also discovered that the hacker used internet addresses based almost exclusively in Iran, and he wrote notes in Farsi, the primary language spoken in the country.
Whether the Muni hackers continues to extort money from various organizations remains to be seen. At the very least, he’ll probably start picking better answers to his security questions.