The Sacramento Regional Transit’s (SacRT) public transportation agency suffered a security breach over the weekend that forced it to temporarily shut down its website, according to a report from the Sacramento Bee.

The shutdown occurred after an anonymous hacker successfully breached the SacRT computer systems and defaced its website while demanding the agency pay a ransom in order to restore the site to normal.

The attack took place Sunday, November 18. Prior to being taken offline, the landing page for the SacRT website contained a message left by the hacker intended to reach the agency officials.

The message read as follows:

“I'm sorry to modify the home page,i'm good hacker,i I just want to help you fix these vulnerability

This is one of the loopholes, modify the home page is to let you know there are loopholes, Not just this one loophole!

It's Very Dangerous!!please contact me as soon as possible

Please contact me email to help you fix these vulnerability:)

nesddjerfn@protonmail.com”

The self-described “good hacker” who supposedly intended to help SacRT secure the vulnerability that allowed for the breach attempted to extort one Bitcoin (worth approximately $8,000) from the agency in order to restore the site to normal.

When the agency declined to pay the ransom, the hacker quickly turned from supposedly well-intentioned to malicious and started deleting files from the SacRT server. In total, the attacker was able to erase about 30 percent of the agency’s files. It is not believed that any data was stolen from the organization as part of the attack.

Despite the attack that forced the SacRT website to go offline, the public transportation system continued to operate throughout the city and was effectively unfazed by the entire event. Employees were temporarily forced to use pen and paper to manage the daily operations of the transportation system, but operations continued without a hitch. The agency’s mobile app was also unaffected by the attacker.

SacRT is reportedly working to restore the deleted files from a backup. As of Wednesday, the agency’s website is back online and fully operational—and free of any messages left by hackers.

John Bambenek, the senior threat researcher at cybersecurity firm Fidelis, told International Business Times that such attacks are likely to become more common in 2018 as hackers continue to search for security vulnerabilities they can exploit in hopes of extorting cash from victims and to wreak havoc.

“Ransomware will continue to dominate the cyber threat landscape in 2018, but we will see a shift in its use and prevalence within the threat landscape. While traditionally used as an attack method for financial gain, we will see new cybercriminal groups increasingly use ransomware for sabotage,” Bambenek said.

Bambenek predicted the shift in motivation for attackers will impact the way in which ransomware and other malware is designed and created going forward. “Cybercriminals will evolve their tricks and techniques to maximize infection and destruction on a global level rather than optimize financial extraction,” he said.