This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.

[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)