[BreachExchange] University of California SF pays ransomware hackers $1.14 million to salvage research

Wed Jul 1 10:32:32 EDT 2020

https://www.zdnet.com/article/university-of-california-sf-pays-ransomware-hackers-1-14-million-to-salvage-research/

The University of California at San Francisco (UCSF) has admitted to
paying a partial ransom demand of $1.14 million to recover files
locked down by a ransomware infection.

The university was struck on June 1, where malware was found in the
UCSF School of Medicine's IT systems. Administrators quickly attempted
to isolate the infection and ringfence a number of systems that
prevented the ransomware from traveling to the core UCSF network and
causing further damage.

While the school says the cyberattack did not affect "our patient care
delivery operations, overall campus network, or COVID-19 work," UCSF
servers used by the school of medicine were encrypted.

Ransomware can be particularly destructive as once a system is
compromised, content is encrypted and rendered inaccessible. Victims
are then faced with a choice: potentially lose their files, or pay a
ransom demand. Cyberattackers will often include a time limit for a
decision to be made to ramp up the pressure to pay.

As shown in this case, blackmail demands can reach millions of dollars.

"The attackers obtained some data as proof of their action, to use in
their demand for a ransom payment," the university said in a
statement. "We are continuing our investigation, but we do not
currently believe patient medical records were exposed."

IT security and privacy: Concerns, initiatives, and predictions
(TechRepublic Premium)

This archived TechRepublic Premium report, originally published in
February 2015, is available for free to registered TechRepublic
members. For all the latest research reports, 100+ ready-made
policies, IT job descriptions, and more, check out TechRepubli...

Research provided by TechRepublic Premium

It is not recommended that victims bow to ransom demands, as this
furthers criminal enterprises. However, UCSF said it took the
"difficult decision to pay some portion of the ransom" as some of the
information stored on the servers is "important to some of the
academic work we pursue as a university serving the public good."

The Netwalker gang is believed to be responsible.

The BBC was able to follow the negotiation, made in the Dark Web,
between Netwalker and the university. The threat actors first demanded
$3 million which was countered by the UCSF with a $780,000 offer,
together with a plea that the novel coronavirus pandemic had been
"financially devastating" to the academic institution.

This offer, however, was dismissed, and a back-and-forth eventually
led to the agreed figure of $1,140,895, made in Bitcoin (BTC).

In return for payment, the threat actors provided a decryption tool
and said they would delete data stolen from the servers.

SophosLabs says the Netwalker toolkit is extensive and includes the
Netwalker, Zeppelin, and Smaug ransomware, Windows-based
reconnaissance tools, and brute-force credential software.

The researchers say this group tends to focus on large organizations
rather than individual targets. In past attacks, Netwalker has
targeted systems through well-known and public vulnerabilities or via
credential stuffing on machines with remote desktop services enabled.

UCSF pulled in cybersecurity consultants to investigate the incident
and is currently working with the FBI. At the time of writing, servers
are still down.

"We continue to cooperate with law enforcement, and we appreciate
everyone's understanding that we are limited in what we can share
while we continue with our investigation," the university added.