The University Of California Pays $1 Million Ransom Following Cyber Attack
The University of California, San Francisco (UCSF) has confirmed it paid a ransom totaling $1.14 million (£925,000) to the criminals behind a cyber-attack on its School of Medicine.
Get started on your cybersecurity degree at American Military University.
I have been warning anyone who will listen about the dangers posed by the Netwalker ransomware threat since March 5, 2020. Unlike some other ransomware operators, this particular bunch of cybercriminals have not declared a ceasefire against medical targets during the COVID-19 pandemic. On March 12, for example, it was reported that the Netwalker hackers had taken the website of the Champaign Urbana Public Health District (CHUPD) in Illinois offline. Educational facilities in the U.S. are also in the crosshairs for the Netwalker gang, and if they can combine health and education then seemingly so much the better.
On June 1, the hackers behind the Netwalker ransomware campaign attacked UCSF networks within the School of Medicine IT environment. While this thankfully did not impact either patient care delivery operations or research work on a cure for COVID-19, data on a “limited number of servers” was successfully encrypted according to a UCSF statement published June 26.
The encrypted data “is important to some of the academic work we pursue as a university serving the public good,” the UCSF statement said. Although it is not thought that any patient records were exposed by the Netwalker cyber-attack, the statement continued: “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
According to a BBC report, the hackers were originally demanding a ransom of $3 million (£2.4 million), but this was negotiated down by a UCSF representative “who may be an external specialist negotiator.” A UCSF spokesperson told the BBC that it would be a “mistake” to assume that everything in the negotiation statements was “factually correct.”
I spoke to Jake Moore, a former police officer specializing in cybercrime and now a cybersecurity specialist at ESET, about the payment of a ransom in this case. “I never condone paying a ransom as you can never be 100% certain you will see the encryption key,” Moore says, adding “by paying such demands you effectively fly a flag announcing that you pay ransoms hence further attacks on similar industries will continue.”
Given that ransomware is hardly a new threat, it surprises me to learn that ransoms are still needing to be paid to decrypt encrypted data. Backups should, in theory, negate that necessity. There’s a whole different dynamic at play when it comes to ransomware operators such as Maze and REvil (also known as Sodinokibi) who steal data before encrypting servers and use the threat of publication or sale as leverage in ransom negotiations.
The theft and publication of data, such as was seen with the REvil operators demanding $42 million (£34 million) for so-called “dirty laundry” relating to President Trump could yet play a part in the ransom payment by UCSF. The UCSF statement refers to the attackers obtaining “some data as proof of their action,” and to be used in the ransom demand, with the encrypted data itself cited as the reason for payment along with the return of stolen data.
“It breaks my heart when I hear that an organization has unwittingly provided a seed round of financing to cybercriminals,” Ian Thornton-Trump, CISO at Cyjax, says. “Working in threat intelligence, we have seen numerous warnings, both public and private, of threat actors targeting pretty much anything to do with research related to Covid-19,” he adds.
UCSF has said that COVID-19 research was not impacted by the ransomware. However, UCSF is restricted in the information that it can share about the cyber-attack itself while the investigation, in cooperation with law enforcement, continues.
It’s hard to deny that there will be plenty of interest in not only how the attackers managed to get their foothold onto the School of Medicine network, but also whether backups of the encrypted data were available. The wording of the UCSF statement itself does seem to suggest that they were not. If this is the case, Thornton-Trump says, there will be questions to be asked as to why “executives are willing to pay a $1 million ransom to cybercriminals, but not willing to pay a fraction of that to implement or maintain backups?”
I have reached out to UCSF for further comment regarding the backups situation and will update this article should any be forthcoming.
“It’s always better to prevent and protect rather than to pay, but this is a tough sentiment to swallow after it has occurred,” Moore concludes, warning that “by paying these criminals it only funds a further round of attacks and continues the cycle of this frustrating malware.”