The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1.
According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.”
Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said:
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. [...] We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
A negotiation took place between the hackers and UCSF
BBC News revealed that a covert negotiation between the UCSF officials and the gang took place, but didn’t end successfully.
The university’s officials first asked to reduce the ransom payment amount to $780,000, but the hackers rejected the offer, stating that if they accepted the reduced amount, it would be as if they had “worked for nothing.”
Netwalker then warned that they will only accept $1.5 million, and “everyone will sleep well.” Hours later, the UCSF staff asked for the steps to follow to send the payment and put a final offer of $1,140,895, which was accepted by the hackers.
The university’s staff then proceeded to send 116.4 Bitcoin (BTC) the next day to the ransomers’ wallets and received the decryption software.
Risks associated with ransomware incidents are “greater than ever”
Speaking with Cointelegraph, Brett Callow, a threat analyst and ransomware expert at malware lab Emsisoft, commented:
“While public and private sector entities in the U.S., Europe and Australasia are the most common targets for ransomware groups, entities in other countries are frequently targeted too. And as ransomware attacks are now data breaches, the risks associated with these incidents are greater than ever — both to the targeted organizations and to their customers and business partners.”
Callow adds that companies can minimize the likelihood of being successfully attacked by “adhering to security best practices — locking down RDP, using multi-factor authentication everywhere it can be used, disabling PowerShell when not needed, etc.”
In early June, Cointelegraph reported that Michigan State University had been attacked by the NetWalker ransomware gang, which threatened to leak students’ records and financial documents. At the time, university officials said that they will not pay the ransom.