The hacker was able to breach Saolis' Yandex mail account by correctly guessing a security question for password reset. They were then able to access other email addresses and Bitcoin wallets that suggest Saolis has earned anything up to $140,000 from attacking companies. Their key attack vector was to target firms that used Oracle server products as well as its Primavera project-management tool. The servers are especially vulnerable to a software flaw that had been patched in November 2015.
San Francisco's transit agency was something of an outlier, since Saolis mostly targeted businesses that -- allegedly -- quietly paid the ransom rather than public bodies. It appears that construction firms were regularly attacked since Saolis had been in contact with companies like China Construction of America, CDM Smith and Skillman. Other companies that are also mentioned in the list included Irwin & Leighton and the Rudolph Libbe group, a building consultancy.
Despite shifting between multiple Bitcoin wallets and email addresses to avoid detection, the anonymous hacker has left some clues as to their identity. Personal notes were written in a language believed to be Persian or Farsi, suggesting that they're located in the Middle East. There is also a belief that Andy Saolis also uses the pseudonym Ali Reza, a common name in the wider Arab world.
Krebs ends the piece with the usual exhortation for companies and individuals to take better care of their data. Back up files regularly, keep them offline and make sure that your software is kept up to date with the latest patches. In addition, if you're using a web-based email server, make sure that you aren't using easily-guessable answers to your security questions. Otherwise all it takes is for you to say the wrong thing on social media and boom -- all of your secrets are exposed.