The University of California at San Francisco (UCSF) has admitted to paying a partial ransom demand of $1.14 million to recover files locked down by a ransomware infection.
The university was struck on June 1, where malware was found in the UCSF School of Medicine's IT systems. Administrators quickly attempted to isolate the infection and ringfence a number of systems that prevented the ransomware from traveling to the core UCSF network and causing further damage.
While the school says the cyberattack did not affect "our patient care delivery operations, overall campus network, or COVID-19 work," UCSF servers used by the school of medicine were encrypted.
Ransomware can be particularly destructive as once a system is compromised, content is encrypted and rendered inaccessible. Victims are then faced with a choice: potentially lose their files, or pay a ransom demand. Cyberattackers will often include a time limit for a decision to be made to ramp up the pressure to pay.
As shown in this case, blackmail demands can reach millions of dollars.
"The attackers obtained some data as proof of their action, to use in their demand for a ransom payment," the university said in a statement. "We are continuing our investigation, but we do not currently believe patient medical records were exposed."
It is not recommended that victims bow to ransom demands, as this furthers criminal enterprises. However, UCSF said it took the "difficult decision to pay some portion of the ransom" as some of the information stored on the servers is "important to some of the academic work we pursue as a university serving the public good."
The Netwalker gang is believed to be responsible.
The BBC was able to follow the negotiation, made in the Dark Web, between Netwalker and the university. The threat actors first demanded $3 million which was countered by the UCSF with a $780,000 offer, together with a plea that the novel coronavirus pandemic had been "financially devastating" to the academic institution.
This offer, however, was dismissed, and a back-and-forth eventually led to the agreed figure of $1,140,895, made in Bitcoin (BTC).
In return for payment, the threat actors provided a decryption tool and said they would delete data stolen from the servers.
SophosLabs says the Netwalker toolkit is extensive and includes the Netwalker, Zeppelin, and Smaug ransomware, Windows-based reconnaissance tools, and brute-force credential software.
The researchers say this group tends to focus on large organizations rather than individual targets. In past attacks, Netwalker has targeted systems through well-known and public vulnerabilities or via credential stuffing on machines with remote desktop services enabled.
UCSF pulled in cybersecurity consultants to investigate the incident and is currently working with the FBI. At the time of writing, servers are still down.
"We continue to cooperate with law enforcement, and we appreciate everyone's understanding that we are limited in what we can share while we continue with our investigation," the university added.
Previous and related coverage
- Ransomware is now your biggest online security nightmare. And it's about to get worse
- Ransomware: Attacks that start with phishing emails are suddenly back in fashion again
- A hacker gang is wiping Lenovo NAS devices and asking for ransoms
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0