Cyber Security Basics 📂 Foundation · 12 of 15 35 min read

Cyber Crime Case Study: The San Francisco Muni Ransomware Attack (2016)

On Black Friday 2016, the Mamba ransomware locked about 2,000 computers at San Francisco Muni, forcing free rides across the transit network. A hacker known as "Andy Saolis" demanded 100 Bitcoin (~$73,000), but SFMTA refused, restored systems from backups within 72 hours, and resumed operations. This case study examines the malware, attack chain, response, and key cybersecurity lessons for critical infrastructure.

Section 01

The Black Friday That Broke a City's Rail System

November 25, 2016 — 6:00 AM, San Francisco
Thanksgiving weekend. Station agents walk into Muni Metro booths across San Francisco and reach for their keyboards. Screens flicker on — but instead of the usual dispatch console, one message blocks every terminal:

"You Hacked, ALL Data Encrypted. Contact For Key (cryptom27@yandex.com) ID:681, Enter."

Handwritten "Out of Service" signs go up on ticket machines. Fare gates swing open. Nearly 2,000 of 8,000 SFMTA computers are locked. Bus drivers get their routes on paper. And for one long weekend, 700,000 daily riders on the busiest transit network west of the Mississippi ride entirely for free — not as a holiday gift, but because a ransomware strain called Mamba has just held an entire municipality hostage.

This is the story of the SFMTA ransomware attack of November 2016 — one of the most public ransomware incidents ever recorded against critical infrastructure. It's also, remarkably, a story with a happy ending: the transit agency refused to pay a single Bitcoin, restored its own systems, and the attacker himself was hacked by a security researcher within days. This tutorial breaks down exactly what happened, how the malware worked, and every defensive lesson that came out of it.

🔑
Why This Case Still Matters in 2026

The Muni attack was a preview of every major ransomware incident since — Colonial Pipeline (2021), the Irish HSE health service (2021), London Transport (2024). The exact techniques used against SFMTA — legitimate open-source tools weaponised, unpatched public-facing servers, no network segmentation — remain the top three attack vectors on critical infrastructure a decade later. Understanding SFMTA is understanding the modern threat.


Section 02

Ransomware 101 — The Business Model Behind the Attack

Before dissecting the SFMTA case, understand the weapon. Ransomware is not a virus in the classical sense — it is a business model that happens to run on malware. The economics are simple: encrypt files the victim cannot afford to lose, demand payment in a currency that cannot be traced, and disappear.

🔒
Stage 1 — Encryption
The Lockout
Malware silently encrypts documents, databases, or entire disks using strong ciphers (AES-256, RSA-2048). The victim cannot decrypt without a key held by the attacker. In Mamba's case, the entire hard drive was encrypted — not just files.
💰
Stage 2 — Extortion
The Demand
A ransom note appears with a Bitcoin wallet address and a deadline. Modern variants add "double extortion" — pay or we also leak your stolen data. SFMTA's attacker threatened to leak 30 GB of internal databases.
📍
Stage 3 — Payment or Recovery
The Fork in the Road
The victim either pays and hopes for a decryption key (no guarantee) or restores from clean backups. SFMTA took the second path. Most organisations still, disturbingly, take the first.
⚠️
The Uncomfortable Reality

The FBI has, at times, quietly acknowledged that when good backups do not exist, paying is the only path to recovery — even though official guidance discourages it. This is why backups are not an IT nicety — they are the single most important cybersecurity control. SFMTA survived precisely because they had them.


Section 03

Meet the Weapon — Mamba / HDDCryptor

The malware family behind the SFMTA attack goes by two names: HDDCryptor and Mamba. It first appeared in early 2016 and was publicly documented by Trend Micro that September — just two months before Muni was hit. What made it dangerous was not novel cryptography but its audacious reuse of legitimate tools.

The Locksmith Who Robs You With Your Own Keys
Imagine a burglar who does not bring a crowbar. Instead, he walks into your local hardware store, buys a perfectly legal locksmith kit, then uses it to install a new lock on your front door — one only he has the key to.

That is Mamba. It does not ship with custom encryption code. It bundles DiskCryptor, a legitimate open-source full-disk encryption tool that thousands of privacy-conscious users install voluntarily. The attacker weaponises the tool, encrypts the victim's disk with a key only he knows, then walks away.

Why this matters: antivirus software has a hard time flagging DiskCryptor as malicious, because in most contexts it isn't.

Mamba's Signature Behaviours

🛠️ What Mamba Actually Does On a Compromised Machine
Step 1
Drops a bundled copy of DiskCryptor into C:\DC22 on the target system.
Step 2
Registers a Windows service (typically named DefragmentService) that runs with SYSTEM privileges.
Step 3
Overwrites the Master Boot Record (MBR) with a modified bootloader — this is the crucial step. Once the machine reboots, Windows cannot load at all.
Step 4
Encrypts entire disk partitions using AES-256 via DiskCryptor. The encryption key is passed as a command-line parameter, then wiped from memory.
Step 5
Forces a reboot. The next screen the operator sees is not Windows — it is the ransom note, served by the modified bootloader before the OS can even start.
Step 6
Uses PsExec (a legitimate Microsoft Sysinternals tool) to spread laterally across the domain, executing itself on every reachable machine.
💡
The "Living Off the Land" Doctrine

Mamba pioneered a technique now dominant in ransomware: living off the land. Instead of custom malware that antivirus engines can fingerprint, the attackers use tools that are already trusted or ship with Windows — PsExec, DiskCryptor, certutil, PowerShell. The malware is essentially a script that orchestrates legitimate binaries. Every major ransomware family since — Ryuk, Conti, LockBit — uses variations of this playbook.


Section 04

Attack Timeline — Hour by Hour

T-0
Friday, Nov 25, 2016 — Initial Compromise
Mamba lands on an internet-exposed SFMTA server. Two vectors are reported: security firm Fortinet believed the attacker exploited an unpatched Oracle WebLogic vulnerability (a deserialization flaw), while the attacker himself later claimed the entry point was an infected torrent downloaded by an administrator. Either way — a single unpatched public-facing box.
T+1h
Lateral Movement via PsExec
From the beachhead server, Mamba uses stolen or default admin credentials to reach out across the flat SFMTA network. PsExec pushes the ransomware executable to hundreds of machines simultaneously. There is no network segmentation stopping it.
T+4h
Scheduled Detonation
The attackers use Windows scheduled tasks to fire the encryption routine on ~2,000 machines at roughly the same moment. This maximises damage and prevents IT from isolating the first infected systems before others fall.
T+6h
First Reboot — The Ransom Note Appears
Ticket machines, station terminals, staff PCs and dispatch systems reboot. Instead of Windows, they show the modified MBR message: "You Hacked, ALL Data Encrypted". Station agents begin printing "Out of Service" signs by hand.
T+8h
SFMTA Opens the Fare Gates
Rather than risk further spread, SFMTA takes ticketing offline and opens all fare gates to the public. 700,000 daily riders travel free. Muni contacts the FBI and DHS. Bus dispatchers switch to hand-written route sheets.
T+24h
The Ransom Demand Arrives
SFMTA infrastructure manager Sean Cunningham receives an email signed "Andy Saolis": "All Your Computer's/Server's in MUNI-RAILWAY Domain Encrypted By AES 2048Bit! We have 2000 Decryption Key! Send 100BTC to My Bitcoin Wallet." At the time, 100 BTC was roughly $73,000.
T+48h
Sunday — SFMTA Refuses to Pay
Muni spokesperson Paul Rose issues a formal statement: "The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems and that is what they are doing." Ticket machines start coming back online by Sunday afternoon.
T+72h
Monday, Nov 28 — Systems Restored
By Monday morning, fare collection is fully restored from backups. The attacker's Bitcoin wallet remains almost empty. Public embarrassment for the attacker, an estimated $50,000 in lost fare revenue for SFMTA — but no ransom paid, no customer data confirmed leaked, and no impact to physical rail operations.

Section 05

Deconstructing the Attack Chain

Every ransomware breach follows a recognisable path — reconnaissance, entry, escalation, lateral movement, impact. Mapping SFMTA onto the standard MITRE ATT&CK chain shows exactly where a defender could have broken the attack at seven different points.

Phase What The Attacker Did Where SFMTA Could Have Stopped It
Reconnaissance Scanned the internet for exposed Windows servers and unpatched Oracle WebLogic instances. Asset inventory + attack surface management. You cannot defend what you don't know is exposed.
Initial Access Exploited a public-facing Windows 2000 / Oracle WebLogic server, or delivered via a torrent to an admin. Patch management + no admin browsing on production networks.
Execution Dropped DiskCryptor + scheduled task to run the encryption binary. Application allow-listing would have blocked the unsigned installer.
Privilege Escalation Used the compromised server's already-elevated context; no exploit needed. Principle of least privilege. Public servers should not have domain admin rights.
Lateral Movement PsExec across a flat internal network to ~2,000 hosts. Network segmentation. VLANs. Deny-by-default east-west traffic.
Defence Evasion Used legitimate signed tools (DiskCryptor, PsExec) that antivirus won't flag. EDR (Endpoint Detection & Response) that flags behaviour, not signatures.
Impact Encrypted MBR + full disks on 2,000 machines. Threatened data leak. Offline immutable backups. This is what saved SFMTA. Full stop.

Section 06

The Two Entry-Point Theories

Nearly a decade later, the exact initial entry vector is still debated. Two credible theories exist, and understanding both is instructive because they map onto the two most common ransomware entry points to this day.

🛠️ Theory A — Unpatched Server (Fortinet)
ElementDetail
TargetOracle WebLogic
Flaw typeJava deserialization
Age of bugPublicly known, patched
Skill neededLow — public exploit
Detection?Only with WAF / IDS
FixApply Oracle patch
📁 Theory B — Poisoned Torrent (Attacker's Claim)
ElementDetail
TargetAdmin's workstation
Flaw typeHuman — pirated software
Age of bugN/A — social
Skill neededLow — seed torrent
Detection?Nearly impossible
FixPolicy + user training
🔍
Why Both Are Instructive

Whether it was the unpatched server or the pirated software, both scenarios share one root cause: a single point of failure was allowed to talk to 2,000 other machines. The initial infection would have been contained to one host if SFMTA had segmented its network. This is the enduring lesson of Muni — it was not the entry vector that made this disaster, it was the flat network.


Section 07

The Ransom Note — What The Attacker Actually Sent

Journalists at the San Francisco Examiner and security researcher Brian Krebs later obtained copies of the direct communication between the attacker and SFMTA. The note itself is a case study in ransomware psychology — technical bravado mixed with broken English, designed to convince the victim that resistance is futile.

# Message sent from cryptom27@yandex.com to Sean Cunningham,
# SFMTA infrastructure manager, evening of Friday, Nov 25, 2016.
# Signed: "Andy Saolis"

FROM: cryptom27@yandex.com
TO:   scunningham@sfmta.com
SUBJ: Hacked

  All Your Computer's/Server's in MUNI-RAILWAY Domain
  Encrypted By AES 2048Bit!

  We have 2000 Decryption Key !

  Send 100 BTC to My Bitcoin Wallet ,
  then We Send you Decryption key For Your All Server's HDD!!

  # Later follow-up message, after SFMTA went public:

  Company don't pay attention to Your safety!
  They give your money and everyday rich more!
  But they don't pay for IT security and using very old systems!

  SFMTA network was Very Open and 2000 Server/PC infected by software!
CONTEXTUAL NOTES
Ransom demand: 100 BTC (~$73,000 USD at Nov 2016 rate) Deadline: Initially Monday Nov 28; later extended to Friday Dec 2 Attacker alias: "Andy Saolis" (pseudonym) Attacker email: cryptom27@yandex.com (Russian free-mail provider) Threat: Leak 30 GB of internal SFMTA databases if not paid Actual payment: 0 BTC — SFMTA never engaged Bitcoin balance: ~0.0024 BTC (about $2) as of Nov 28 Result for hacker: Public exposure within 72 hours (see Section 09)
🚩
The Grammar Isn't an Accident

Broken English is common in ransom notes not because criminals cannot write, but because it obscures attribution. It could be a non-native speaker; it could be a native speaker faking one; it could be machine translation. Attributing this attack to any nation or specific person is exactly what the attacker wants you not to be able to do.


Section 08

What SFMTA Did Right — The Defensive Playbook

For all the criticism of SFMTA's security posture (and there is plenty), the agency's response was textbook. It is genuinely worth studying as a positive case, because most public sector organisations hit by ransomware have handled it far worse.

Refused to Pay
Every ransom paid funds the next attack. SFMTA drew a hard line publicly on day one. This deterred the attacker from doubling down and denied him leverage in negotiations.
policy: no negotiation
Kept Rail Running
Opening the fare gates was the smart call. Losing $50k in fares is preferable to stranding 700,000 riders. The operational systems (signals, train control) were on separate networks and untouched.
business continuity
Called the Feds Immediately
Within hours SFMTA contacted DHS and the FBI. Federal support gave them access to threat intelligence and legal cover. Many organisations delay this call for weeks — SFMTA did not.
FBI + DHS engaged <24h
Had Working Backups
The single most important defence. SFMTA restored ~2,000 machines from backups in roughly 48 hours. Without those backups, the story ends very differently.
the 3-2-1 rule saved them
Public Communication
Muni's spokesperson Paul Rose issued clear, honest statements early. No cover-up, no minimisation. Public trust survived largely because the agency was straightforward.
transparency = trust
Where They Failed
Flat network. Unpatched public-facing services. No EDR. Admin accounts with sprawling privileges. Every one of these gave the attacker the space to compromise 2,000 machines instead of one.
pre-incident hygiene = D-

Section 09

The Twist — The Hacker Gets Hacked

Krebs on Security, November 29, 2016
While SFMTA was restoring systems, veteran security journalist Brian Krebs received a message from an anonymous researcher. The researcher had exploited weak security questions on the Yandex email account cryptom27@yandex.com — the very address in the SFMTA ransom note — and taken over the attacker's inbox.

Inside were months of ransomware negotiations with dozens of other victims. Bitcoin wallets. Server credentials. A second email address (w889901665@yandex.com) tied to earlier campaigns. And crucially: proof that the SFMTA attack was not targeted — Muni was simply one of thousands of internet-facing servers the attacker had opportunistically compromised.

Krebs published the story on November 29, four days after the attack began.
What Was ExposedDetail Recovered From The Attacker's Mailbox
Other victimsAt least a dozen organisations, including a US manufacturing firm that had paid 63 BTC (~$45,000) on Nov 20 — five days before Muni.
Total earningsKrebs' source estimated at least $140,000 in Bitcoin extorted over the preceding months.
Attack methodologyNon-targeted. The attacker mass-scanned the internet for exposed servers, exploited them opportunistically.
Attacker's locationInvestigative clues pointed to Iran — the attacker was tied to open-source projects and forum activity by an Iranian developer.
InfrastructurePlain-text credentials for hosting providers used in the attack were sitting in the mailbox.
🏆
The Meta-Lesson

The attacker used weak security questions on his own Yandex account — the exact same mistake his victims made. This is not coincidence. Ransomware operators are not necessarily elite hackers. They are operators of a business model, using tooling built by more skilled developers. Weak opsec cuts both ways.


Section 10

The Financial and Operational Impact

Compared to modern ransomware losses running into the hundreds of millions, SFMTA got off remarkably light. But the incident still caused meaningful damage — most of it invisible to the public.

💵
Lost Fare Revenue
~$50,000 (est.)
Two days of free rides across the Muni Metro system. Modest — Thanksgiving weekend has lower ridership than a weekday.
Staff Overtime + IR Costs
Undisclosed
Weekend emergency restoration of 2,000 machines. Federal engagement (FBI/DHS). External forensics. Likely six figures.
🔧
Security Overhaul
Multi-year
Network segmentation, EDR rollout, patching programme, user training. The largest cost, and the one that mattered most.
📈
The Real Damage Was Reputational

SFMTA's operational technology (train signalling, safety systems) was never touched, but for 72 hours the public watched a major American city transit agency locked out of its own computers by a foreign ransomware operator. That image — followed by copycat attacks on Fort Worth transit, Philadelphia's SEPTA, and Martha's Vineyard's Steamship Authority — reshaped US infrastructure cyber policy for the next decade.


Section 11

Practical Example — Detecting Mamba-Style Behaviour

A modern SOC (Security Operations Centre) would spot Mamba's behavioural fingerprints before disk encryption completes. The malware's use of legitimate tools is a defence and a tell — DiskCryptor is not commonly installed on typical corporate workstations, so its appearance is itself an indicator of compromise.

Indicators of Compromise (IoCs) for Mamba / HDDCryptor

# === File System Indicators ===
FOLDER:  C:\DC22\               # DiskCryptor install path
FOLDER:  C:\xampp\http\          # Staging directory
FILE:    myConf.txt             # Encryption config (key + reboot delay)
FILE:    dcapi.dll              # Modified DiskCryptor API module
FILE:    dcinst.exe             # DiskCryptor installer

# === Windows Service Indicators ===
SERVICE: DefragmentService      # Malicious service name
RUN AS:  LocalSystem            # Executes as SYSTEM

# === Network Indicators (2016 campaign) ===
EMAIL:   cryptom27@yandex.com   # Ransom contact (SFMTA)
EMAIL:   w889901665@yandex.com  # Earlier campaigns
EMAIL:   cryptom2016@yandex.com # Hosting provider comms

# === Behavioural Indicators (higher fidelity) ===
EVENT:   PsExec.exe execution against >5 hosts in <5 minutes
EVENT:   Scheduled task creation with SYSTEM context on multiple hosts
EVENT:   New Windows service registered pointing to unsigned binary
EVENT:   Any process writing to sector 0 of \\.\PhysicalDrive0
EVENT:   Unexpected reboot within 5 minutes of scheduled task creation

YARA Rule — Detecting the DiskCryptor Abuse Pattern

// A minimal YARA rule that flags binaries bundled with DiskCryptor components.
// Real production rules go deeper into imphash and PE anomalies.

rule HDDCryptor_Mamba_Indicators
{
    meta:
        author      = "SOC analyst"
        description = "Detects HDDCryptor / Mamba DiskCryptor abuse"
        reference   = "SFMTA incident, November 2016"

    strings:
        $dc1 = "C:\\DC22\\"            ascii wide
        $dc2 = "dcapi.dll"            ascii wide
        $dc3 = "dcinst.exe"           ascii wide
        $svc = "DefragmentService"    ascii wide
        $cfg = "myConf.txt"           ascii wide
        $note = "You Hacked, ALL Data Encrypted" ascii wide

    condition:
        2 of ($dc*) or $svc or $cfg or $note
}
🛡️
Rule of Thumb for MBR Ransomware

Any process on a corporate endpoint touching the Master Boot Record is a P1 incident. There is no legitimate business reason for user-space software to write to \\.\PhysicalDrive0 sector 0. Modern EDR tooling (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) alerts on this by default — but you must have it deployed before the attack.


Section 12

Defence Configuration — What SFMTA Should Have Had

This section walks through the specific configuration changes that would have prevented, contained, or drastically limited the SFMTA attack. Each maps to a concrete control any defender can implement today.

1. Disable PsExec Lateral Movement

# PowerShell / Group Policy: block PsExec on workstations that don't need it.
# SMB port 445 is Mamba's spread mechanism; deny east-west by default.

# Windows Firewall rule — block inbound SMB from workstation ranges:
New-NetFirewallRule -DisplayName "Block-SMB-East-West" `
    -Direction Inbound -Protocol TCP -LocalPort 445 `
    -RemoteAddress "10.0.0.0/8" -Action Block

# Registry: prevent PsExec-style admin$ pipe abuse from non-domain-controllers:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
    -Name "AutoShareWks" -Value 0

2. Enable Application Allow-Listing (WDAC)

# Windows Defender Application Control policy fragment.
# Only signed, approved binaries may execute. DiskCryptor is not on the list.

<SiPolicy>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Required:Enforce Store Applications</Option>
    </Rule>
  </Rules>
  <!-- Only allow binaries signed by Microsoft or the org's cert. -->
</SiPolicy>

3. Network Segmentation — VLAN by Function

# Conceptual segmentation. SFMTA had one flat network. Should have looked like:

VLAN 10  — Ticketing kiosks       # public-facing, isolated
VLAN 20  — Station terminals      # staff, restricted access
VLAN 30  — Corporate workstations # email, office work
VLAN 40  — Domain controllers     # heavily restricted
VLAN 50  — Operational Technology # signalling, train control — air-gapped
VLAN 99  — Management               # jump hosts only, MFA required

# Deny-by-default east-west traffic between all VLANs.
# Explicit allow rules for necessary flows only, logged at both ends.

4. The 3-2-1 Backup Rule (What Saved SFMTA)

💾 The Only Backup Rule That Survives Ransomware
3
Keep three copies of every important dataset. The original plus two backups. One copy is never enough — hardware failure alone accounts for it.
2
Store the copies on two different media types. Disk plus tape, or disk plus cloud object storage. Different media fail differently.
1
Keep one copy off-site AND offline. Ransomware routinely targets network-attached backups. Air-gapped or immutable (write-once) storage is the copy that survives an attack.
+
Test restore quarterly. An untested backup is not a backup. If SFMTA had never tried a restore, the outcome could have been very different — plenty of organisations discover during an incident that their tapes are unreadable.

Section 13

Similar Cases — The Muni Playbook Repeated

SFMTA was neither the first nor the last public infrastructure ransomware victim. Studying the sequence reveals a pattern: every case shares two or more of the same root causes SFMTA had.

Year Victim Ransomware Paid? Root Cause Shared With SFMTA
Feb 2016 Hollywood Presbyterian Hospital, LA Locky Yes — $17,000 Flat network, weak email filtering
Apr 2016 Lansing Board of Water & Light, MI Unnamed Yes — $25,000 No offline backups
Nov 2016 SFMTA / Muni, San Francisco Mamba / HDDCryptor No — refused Unpatched WebLogic + flat network
May 2017 UK NHS + 200,000 machines globally WannaCry Mostly no Unpatched SMBv1 (EternalBlue)
Mar 2018 City of Atlanta SamSam No — refused Weak RDP credentials, no MFA
May 2021 Colonial Pipeline, USA DarkSide Yes — $4.4M (part recovered) Compromised VPN account, no MFA
May 2021 Irish Health Service (HSE) Conti No — refused Phishing entry + flat network
Jun 2021 New York MTA Unattributed (China-linked) Unpatched Pulse Secure VPN
🔴
The Pattern Never Changed

A decade of attacks and the top three root causes remain: unpatched internet-facing services, flat internal networks, and weak or missing multi-factor authentication. If you fix only three things after reading this tutorial, fix those three.


Section 14

Newspaper & Reference Coverage of the Attack

The SFMTA case is unusually well-documented because it was so publicly visible. Below is a curated list of the primary sources — useful for anyone building on this case study for academic work or professional briefings.

Publication Date Contribution
San Francisco Examiner Nov 26, 2016 First reporter on the ground. Photographed the "Out of Service" signs. Broke the direct-quote email correspondence with the attacker.
Forbes (Thomas Brewster) Nov 28, 2016 Documented the ransom amount (100 BTC ≈ $70,000) and got the attacker's follow-up interview quotes.
CBC News Nov 28, 2016 Muni spokesperson Paul Rose on record: "The SFMTA has never considered paying the ransom."
BBC News Nov 28, 2016 Confirmed no impact to transit service, safety systems, or customer information.
MIT Technology Review Nov 28, 2016 Contextualised alongside the Hollywood Presbyterian Hospital ransomware case earlier that year.
Krebs on Security Nov 29, 2016 The pivotal report. Brian Krebs revealed the attacker's inbox had itself been hacked, exposing prior victims and total earnings of at least $140,000.
Trend Micro Research Dec 2016 Technical analysis of HDDCryptor / Mamba — DiskCryptor abuse, MBR overwrite, PsExec spread.
SecurityWeek (Ionut Arghire) Dec 6, 2016 Documented Fortinet's Oracle WebLogic entry-point theory.
Kaspersky Lab (SecureList) 2017 Long-term tracking of Mamba operators as they resurfaced in Brazil and Saudi Arabia.
FBI FLASH Alert MI-000148-MW Mar 2021 Federal Bureau of Investigation IOC bulletin on Mamba — five years after the SFMTA hit, the family was still active.

Section 15

Golden Rules — The SFMTA Lessons in Seven Lines

🛡️ Non-Negotiable Takeaways From the Muni Attack
1
Assume you will be hit. SFMTA was not targeted — they were opportunistically scanned. Every internet-exposed server is a potential entry point. Design your defences around when, not if.
2
Segment ruthlessly. A flat network turns one compromised machine into 2,000. VLANs, micro-segmentation, and deny-by-default east-west traffic are the single highest-impact investment you can make.
3
Patch public-facing services within days, not months. The Oracle WebLogic flaw that likely let Mamba in was already patched. SFMTA hadn't applied it. Attackers scan the internet daily; your patch window is the exploit window.
4
Offline backups are the last line of defence. Everything else is a delay tactic. The 3-2-1 rule is non-negotiable, and tested restores are the difference between a bad weekend and a bankruptcy.
5
Do not pay. Payment funds the next attack, does not guarantee decryption, and marks you as a paying target. SFMTA showed refusal is a viable strategy when backups exist.
6
Detect behaviour, not signatures. Mamba used legitimate tools — DiskCryptor, PsExec, scheduled tasks. Traditional AV missed it. Modern EDR flags the behaviour: MBR writes, mass lateral SMB, service creation on multiple hosts.
7
Have an incident response plan and rehearse it. As IBM's Limor Kessem said of Muni: the #1 factor in preparedness is not employee training, it is a rehearsed IR plan that gives teams muscle memory to react quickly and effectively when the moment comes.
🌟
Closing Thought

The San Francisco Muni attack ended well — no data lost, no ransom paid, no passengers stranded, and the attacker publicly embarrassed within a week. It is one of the very few ransomware cases with a genuinely positive ending. That outcome was not luck. It was the product of good backups, a refusal to negotiate, and a willingness to be transparent. Every organisation defending critical infrastructure should aspire to the SFMTA response — while learning from the mistakes that got them into the crisis in the first place.