According to a report at the KrebsOnSecurity website, last Friday people who use the SFMTA system, which is known as Muni, found "out of service" or "metro free" signs on all ticket machines.
The computer terminals at all Muni locations had a message from the attacker: “Contact for key (firstname.lastname@example.org)."
The person behind that email account claimed to have encrypted files on thousands of SFMTA computers and demanded 100 bitcoins (about US$73,000) to unlock the same.
Emails in the account, supplied to Krebs by the researcher, indicated that the attacker in question had been indulging in the activity for quite some time.
While the attacker had been careful to use several Bitcoin wallets, he had been careless when it came to security questions and had provided correct information.
Krebs wrote that, by speaking to several other security experts, he had found out that the attacker had not specifically targeted SFMTA, but rather attacked the company because of vulnerabilities in the software it was using.
The detailed report written by Krebs is well worth a read.