Per their findings, SF Muni was a departure for this extortionist, who previously had targeted private companies. Targeting a public transit system is probably what got them hacked.
The saga began the Friday after Thanksgiving, when Saolis broke into SF Muni's computer system using ransomware and held the rail system in a stranglehold over the weekend for a ransom of 100 bitcoin, or about $73,000. Customers were allowed to ride the rails for free for much of the weekend as ticketing kiosks were left inoperable, with screens at terminals reportedly reading "you hacked, ALL data encrypted."
Overall, the hack affected 30 gigabytes of customer and employee data across more than 2,000 computers, about 25 percent of the Muni's entire network. Ticket machines were working again on Sunday morning.
SF Muni confirmed in a blog post that it would not pay any ransom for the breach. "The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing."