So in your original example would that be picked up by an anti virus?
It's actually possible, see below for why.
Regardless of whether or not it did right away, once your AV caught up it would detect it, without an Av you would continue plodding along blindly unaware your system was completely compromised. I'm not saying Av is perfect, but it is more responsive than MS or doing nothing at all. The thing to remember is that they are always behind on threats, would you rather be a week behind, a year behind or just completely ignorant of them entirely?
So why could it catch it?
AVs use "fingerprints", snippets of code that it uses to identify a bit of malware, any programmer can write a malicious bit of code, making it unique enough that an AV doesn't catch it however takes skill and knowledge. Someone who does this probably dedicates a good bit of their life to it. The same applies to people who can hack a website or makes the tools to hack a website, you have armies of people working against you blocking any obvious points of entry other than brute force, which believe me, A LOT still goes on. My web server was seeing an attempt every 10 seconds, AFTER I blocked China and Russia. This is why many hackers do more social engineering than actual hacking, it's easier to trick someone into giving you their password than to try and hack your way in "Hi this is Joe in tech support, we noticed a problem on your computer, can you help me access...", you would be amazed how many fall for it.
Back to our hacker... As a result of the difficulty, there are actually few people who can do both well. You can however buy/sell/trade hacks, in fact there is an entire economy built around this on the internet and as with anything underground, it's ripe with people ripping each other off as well as spies. If you are buying a hack, do you care if you used a legit credit card? Probably not, and do you think he cares to keep that card number secret as a result? Probably not, there is no honor among thieves after all. There are people selling tools to ID vulnerable systems, others selling hacks, virii*, credit cards, trojans, etc...
So, where does it leave this hack?
Chances are they bought a hack and/or a ransomware script and then went looking for servers vulnerable to said hack and they found Transmission's website. Could it have been targeted, of course, but it also may have just been luck of the draw on an unpatched server. This also means it probably wasn't what the press refers to as zero day**.
* Most virus writers in my experience do it for fun, as a hobby, and they keep to themselves trying to infect each other, it's a game of security research. Unfortunately, every once in a while someone lets one slip to a buddy trying to infect an ex- girlfriend or something and that's how we get these hasty buggers out in the wild. It's also why AV writers can block many before they ever reach the streets, they often get these snippets of code early on.
** Zero day is over-used, it may not be new at all, but instead only now just finding it's way into the wild, as explained above, many vulnerabilities are found long before someone tries to exploit them.
