California University Pays Million-Dollar Crypto Ransom

Published at: June 30, 2020

The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1.

According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.”

Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. [...] We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

A negotiation took place between the hackers and UCSF

BBC News revealed that a covert negotiation between the UCSF officials and the gang took place, but didn’t end successfully.

The university’s officials first asked to reduce the ransom payment amount to $780,000, but the hackers rejected the offer, stating that if they accepted the reduced amount, it would be as if they had “worked for nothing.”

Netwalker then warned that they will only accept $1.5 million, and “everyone will sleep well.” Hours later, the UCSF staff asked for the steps to follow to send the payment and put a final offer of $1,140,895, which was accepted by the hackers.

The university’s staff then proceeded to send 116.4 Bitcoin (BTC) the next day to the ransomers’ wallets and received the decryption software.

Risks associated with ransomware incidents are “greater than ever”

Speaking with Cointelegraph, Brett Callow, a threat analyst and ransomware expert at malware lab Emsisoft, commented:

“While public and private sector entities in the U.S., Europe and Australasia are the most common targets for ransomware groups, entities in other countries are frequently targeted too. And as ransomware attacks are now data breaches, the risks associated with these incidents are greater than ever — both to the targeted organizations and to their customers and business partners.”

Callow adds that companies can minimize the likelihood of being successfully attacked by “adhering to security best practices — locking down RDP, using multi-factor authentication everywhere it can be used, disabling PowerShell when not needed, etc.”

In early June, Cointelegraph reported that Michigan State University had been attacked by the NetWalker ransomware gang, which threatened to leak students’ records and financial documents. At the time, university officials said that they will not pay the ransom.

Tags
Related Posts
University of Utah Pays Ransomware Gang to Prevent Student Data Leak
The University of Utah’s College of Social and Behavioral Science confirmed that they were hit by a ransomware attack on July 19. According to a statement issued by the University, the gang left many computers inaccessible for several hours as staff took servers offline to prevent the malware from spreading to other machines on the school’s network. Following internal discussion, officials decided to work with the school’s cyber insurance provider to pay a $457,059 ransom in order to prevent a data leak. Staff from the university clarified that the insurance policy paid part of the ransom and they covered the …
Technology / Aug. 22, 2020
Successful Ransomware Attacks Decline in 2020
The number of successful ransomware attacks witnessed a decrease between January and April 2020 in the U.S. public sector amid the COVID-19 crisis. However, researchers have recently noticed that trend reversing, with incidents now starting to increase. According to the study by the malware lab, Emsisoft, the figures show a decline in comparison to the 966 targeted establishments that were successfully attacked at the cost of $7.5 billion. Strong decline in the figures compared with 2019 stats However, during the Q1 and Q2 2019, just 128 federal and state entities, healthcare providers, and educational districts were attacked by ransomware gangs. …
Technology / July 9, 2020
Michigan State University Hit by Ransomware, Refuses to Pay Criminals
In early June, media outlets reported that the NetWalker ransomware gang had attacked Michigan State University, or MSU. At the time, the gang threatened to leak students’ records and financial documents. The university’s officials now have said that they will not pay the ransom. According to Detroit Free Press, the unspecified bounty requested in crypto by the ransomware group will not be paid by MSU. Officials did not publish an official statement addressing the reasons behind the decision. The attack seems to have happened on the U.S. Memorial Day holiday. It shut down the MSU’s computer systems, and breached its …
Technology / June 11, 2020
Well-Known Ransomware Gang Strikes Three Companies in the US and Canada
Ransomware group REvil has launched another series of attacks targeting three companies in the U.S. and Canada. As of press time, they have leaked data from two of the companies, and threatened to disclose sensitive data from the third. The companies are well-known Canadian accounting firm, Goodman Mintz LLP, licensed real estate broker Strategic Sites LLC, and ZEGG Hotels & Store, a duty-free store. First target of the week: an accounting company The gang kicked-off the week by leaking sensitive data from the Canada-based accounting company, Goodman Mintz LLP. The leak included company files, accounting and working documents of clients, …
Technology / June 17, 2020
Knoxville Is the Latest American City to Suffer a Ransomware Attack
An unidentified ransomware gang attacked the city of Knoxville, Tennessee’s IT network, forcing officers to shut down all systems on June 12. According to local news station WVLT, the attack took place sometime between June 10–11, encrypting all files within the network infrastructure. The attack forced workstations of the internal IT network to be shut down, which also disconnected internet access from the mayor’s infrastructure, public website, and even the Knoxville court. The FBI is currently assisting in the investigation, although the identity of the ransomware group behind the attack has not yet been revealed. The official statement from the …
Technology / June 15, 2020