The other vigilante hacker contacted security reporter Brian Krebs and identified themselves as a security researcher, which Krebs then verified after consulting other security experts. As one of them, Alex Holden of Hold Security, Inc. put it: “It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities.”
Per their findings, SF Muni was a departure for this extortionist, who previously had targeted private companies. Targeting a public transit system is probably what got them hacked.
The saga began the Friday after Thanksgiving, when Saolis broke into SF Muni's computer system using ransomware and held the rail system in a stranglehold over the weekend for a ransom of 100 bitcoin, or about $73,000. Customers were allowed to ride the rails for free for much of the weekend as ticketing kiosks were left inoperable, with screens at terminals reportedly reading "you hacked, ALL data encrypted."