UCSF Pays $1.14M After NetWalker Ransomware Attack

ransomware attack UCSF

UCSF has paid more than $1 million after a ransomware attack encrypted data related to “important” academic research on several servers.

The University of California, San Francisco (UCSF) has paid a $1.14 million ransom to recover data related to “important” academic work. The data was encrypted after the NetWalker ransomware reportedly hit the UCSF medical school.

The UCSF, which includes a medical school and a medical center (UCSF Medical Center) as well as a graduate division, is a leading institution in biological and medical research. The university said that it first detected a “security incident” in its medical school’s IT environment on June 1. The attackers launched malware that encrypted a “limited number” of servers within the medical school, making them inaccessible.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” said the university in a recent security update. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

Threatpost reached out to UCSF for more information about how the cyberattack started and whether they have received a decryption key that works.

The cyberattack did not affect the university’s patient care delivery operations, overall campus network, or COVID-19 work, it said. UCSF also said they “do not currently believe” patient medical records were exposed – but are continuing their investigation.

“Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” according to UCSF. “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment.”

NetWalker Ransomware

According to a BBC report, the NetWalker ransomware is behind the attack. This ransomware family, which was behind a cyberattack on the Toll Group, recently transitioned to a ransomware-as-a-service (RaaS) model, and its operators are placing a heavy emphasis on targeting and attracting technically advanced affiliates.

The healthcare sector has been a prime target for the ransomware group, particularly during the ongoing pandemic. The group was reportedly behind a ransomware attack on the website of Champaign-Urbana Public Health District in Illinois earlier in 2020, for instance.

During the cyberattack on UCSF, the operators reportedly sent the university an initial ransom demand of $3 million, noting that the university made billions a year, according to BBC’s report. After back-and-forth negotiations, the ransomware operator made a final offer of $1.14. Since then, UCSF has transferred 116.4 Bitcoins to the attacker’s electronic wallet, and has since received decryption software.

After detecting the attack, UCSF isolated the affected IT system in the medical school’s environment so that the core UCSF network was not affected. The university also has been working with a leading cyber-security consultant and other outside experts to investigate the incident, and said it expects to fully restore the affected servers soon.

Paying The Ransom

The act of paying the ransom after a ransomware attack has long drawn criticism by security experts, who say that the payouts fund future malicious activities by cybercriminals, and gives them more incentive to launch further attacks. Experts say, paying the ransom also can inspire other cybercriminals to launch similar attacks in hopes of making money. Some states, like New York, have even considered potentially banning municipalities from paying ransomware demands.

Brett Callow, threat analyst with Emsisoft, told Threatpost that paying the ransom leads to a “vicious circle” and the only way to break it is for companies to stop paying.

“Some consider the question of whether to pay ransoms to be purely business decisions that companies should make on the basis of simple cost-benefit analyses. This, of course, is a very shortsighted view,” Callow said. “Paying ransoms further incentivizes the criminals and provides them with additional resources to invest in scaling up their operations. That means more victims, and more ransoms paid.”

Ransom payouts can also be a costlier approach for ransomware victims. Recent research conducted by Vanson Bourne and commissioned by security firm Sophos showed that ransomware victims that refused to pay a ransom reported, on average, $730,000 in recovery costs – while organizations that did pay a ransom reported an average total cost, including the ransom, of $1.4 million.

Despite these warnings, it’s not uncommon for ransomware victims to pay up. Travelex this year paid out $2.3 million to hackers to regain access to its global network after a January malware attack knocked the global currency exchange offline and crippled its business. And in 2019, a Florida city, hit by a ransomware attack that crippled its computer systems for three weeks, paid the attackers the requested ransom of $600,000.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.

Suggested articles