A hacker put ransomware on San Francisco’s “Muni” rail network over Thanksgiving and activated it this past weekend shutting down 900 computers and allowing passengers to ride free until the system was returned to normal service this past weekend.

According to Krebs On Security, a "white hat hacker" was able to crack the password of the hackers email account and changed the password, locking the hacker out of his own account.

The unnamed security hacker managed to guess the security question to the account. He found that the hacker had amassed close to $100,000 from multiple attacks over the past few months.

The email account also contained the ransom note to the rail system as well as 14 bitcoin wallets. The hacker had targeted various companies including US manufacturing and construction companies. The majority of those ransomed paid the $730 demanded. Some companies even paid more for information from the hacker as to how they were hacked.

Although the researcher found over 300 addresses associated with a server, the contact phone number appears to be a Russian mobile number.

The rail system has refused to pay the ransom and used backups to return to service. They posted this notice:

“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.

Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”

Source: Info Security