disclosure: i worked as a contractor for LA Metro.
its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted"
not a hard feat to pull off. the data thats shown on these screens is either dynamically generated by track signal data thats processed through SCADA and into a windows system, or you can issue an override screen for construction/etc...removing this screen should not be hard.
and all the rides were free
there is no magic button to make all rides free centrally. This was likely done by Muni as a last ditch effort because their card transaction databases were offline or the system that handles accounting for this database was offline due to the hack. Muni simply put their turnstiles into bypass mode and sent their fare enforcement officers home for the day. it means when they run their fare-jump report for the month, theyll have to adjust for the days they had open fare points.
"The transit agency has no idea who is behind it, or what the hackers are demanding in return,"
nothing. chances are great they didnt expect to get this far. its possible the warning on muni transit screens is a side-effect of a wallpaper or start screen that machines are now forced into depending on what model of annunciation system they purchased. if thats the case, reimaging the screens will take 2-3 hours and can all be done centrally. as for the accounting database for oyster/muni cards, thats an easy restore from backup or calling transactions back from their VAN provider (value added networks, generally operated by IBM or Cisco.)
as for people worrying about getting paid, this happens a lot. ive once shut down live map systems on a handful of busses to upgrade the video drivers, and by the end of the day there was a rumor spreading that the payroll department was hacked. Drivers/operators are not brilliant minds.