The agency that operates San Francisco’s municipal railway has all but recovered from a crippling ransomware attack that struck its computer network over Thanksgiving weekend, the agency said.
Hackers had infected the municipal transportation agency’s systems with malicious software that locked employees out of their digital files on Friday. The cybercriminal group demanded a ransom of 100 Bitcoins, or about $73,000, for the agency to regain access.
When the attackers did not receive the payment, they additionally threatened to dump 30 gigabytes of the agency’s employee and customer data that they claimed to have stolen. That ultimatum appears, however, to have been a bogus scare tactic to extort its prospective victim.
Get Data Sheet, Fortune’s technology newsletter.
Paul Rose, a spokesman for the San Francisco Municipal Transportation Agency, emailed Fortune on Monday evening to say that the agency had called the attackers’ bluff. “Based on the information we have, and in conference with DHS,” he said, referring to the Department of Homeland Security, with whom the agency is cooperating in an ongoing investigation, “we believe they do not have access to critical data files.”
Further, Rose added, the agency “never considered paying the ransom.” Instead, the agency restored the majority of its roughly 900 affected office computers through data backups. (Previous reports suggested that the malware had impacted more than 2,000 of the agency’s computers.)
“Existing backup systems allowed us to get most affected computers up and running this morning,” Kristen Holland, another agency spokeswoman, said in a blog post on Monday evening. She said the agency’s IT team expects that the rest will be restored “in the next day or two.”
For more on ransomware, watch:
“Muni operations and safety were not affected. Our customer payment systems were not hacked,” Holland wrote, noting that the attack had affected access to email and, vaguely, “various systems.” Station ticketing kiosks had been unplugged as a “precaution” between Friday and Sunday morning, she said.
“No data was accessed from any of our servers,” she added.
In a surprising turn of events (and, perhaps, a bit of satisfying poetic justice), two reports soon surfaced suggesting that the ransomware peddlers themselves had been hacked over the weekend. Anonymous security researchers contacted two reporters with evidence reportedly stolen from the attackers.
The first story, by Brian Krebs, an independent cybersecurity researcher, reported that that the attackers appeared to have exploited vulnerabilities in unpatched Oracle software to gain entry to the agency’s computer network. Previous targets by the San Francisco railway hacker appeared to include a number of U.S.-based construction and manufacturing firms.
Krebs also hypothesized, based on the provenance of Internet addresses used to administer a computer server associated with the attacks as well as some language analysis, that the attackers may be based in Iran.
Shortly thereafter, Thomas Fox-Brewster, a security reporter at Forbes, reported having made contact with another person who allegedly hacked the same email account implicated in the attack. Adding up the value of Bitcoins stored in Bitcoin addresses linked to the hackers’ accounts, he estimated that the operation had raked in “well above $100,000 in less than four months.”
The source also disputed the idea that people responsible for the hacking were in Iran, but that person provided no evidence or reasoning to support the claim.