MUNI hack
A woman waits for a MUNI train at the Embarcadero station in San Francisco

The hacker responsible for the ransomware attack against San Francisco's municipal transit system (Muni) may have been given a taste of his own medicine after a security researcher reportedly infiltrated the cybercriminal's own email inbox and accessed a trove of emails.

The retaliatory hack has revealed clues about the culprit's location, identity and past extortion activities, according to Brian Krebs, a security expert who runs KrebsOnSecurity. If the emails are to be believed – the hacker is a successful ransomware-peddler.

The Muni systems were first targeted on 25 November, initially disrupting internal networks, email services and roughly 900 computers. Terminals were left with the notice: "You are hacked. Your HDD encrypted. Contact us for decryption key." The hacker left an email: cryptom27@yandex.com.

After issuing a demand of 100 Bitcoin ($73,000, £60,000), the hacker – under the pseudonym "Andy Saolis" – threatened to release 30GB of stolen data if payment was not provided. It is believed the malware used in the attack was HDDCryptor, or "Mamba."

On 28 November, Krebs said he was contacted by a security researcher, who remains unnamed, that claimed to have broke into the Yandex email address provided by the hacker by guessing his (or her) "secret question" and then resetting the password on the account.

Among the alleged emails was a message to Sean Cunningham, a San Francisco Municipal Transportation Agency (SFMTA) infrastructure manager, which demanded payment in return for access to the Muni computer networks. It was also signed with the fake name Andy Saolis, Krebs reported.

"All Your Computer's/Server's in MUNI-RAILWAY Domain Encrypted by AES 2048Bit! We have 2000 Decryption Key! Send 100BTC to My Bitcoin Wallet, then We Send you Decryption key For Your All Server's HDD!!" the email to Cunningham said.

The hacked emails appear to show the hacker was previously successful at extorting a range of victims – however they were usually in the manufacturing and construction sector. A scan of their Bitcoin wallets, used to store illicit profits, showed roughly $140,000 in funds.

The messages also appear to provide insight into what types of vulnerabilities the hacker was using to sneak into networks – primarily by exploiting security flaws in Java applications and gaps in Oracle server products. An expert told Krebs the hacker was using "several open-source tools to help find and infect new victims."

This appears to match with what the hacker previously told Bleeping Computer via email – when he or she indicated Muni was infected by accident – saying it was not a targeted attack. "We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal automation and email! We gain access completely random and our virus working automatically," the culprit said.

Krebs also revealed the hackers' server – used to launch Oracle vulnerability scans – appeared to have an IP address based in Iran. Further evidence pointed towards the hackers' language being either Iranian or originating from the Middle East. Some names linked to the account were "Alireza" and "Mokhi", Krebs said.

In a statement issued on 28 November (Monday), Kristen Holland, a public relations representative with the SFMTA said the organisation had "never considered" paying the ransom demand.

She said: "We have an information technology team in place that can restore our systems, and that is what they are doing. Existing backup systems allowed us to get most affected computers up and running [...] our information technology team anticipates having the remaining computers functional in the next day or two."