Clickability tracking pixel

UCSF Pays Hackers $1.14M to Recover Encrypted Data

The hackers struck the University of California, San Francisco on June 1 with Netwalker malware that encrypted data on some of the School of Medicine’s servers, rendering them inaccessible.

by Daniel Wu, Palo Alto Daily News / July 1, 2020
Shutterstock/Rymden

(TNS) — Malware attacks on prominent businesses and institutions are nothing new. But experts say the shift to working from home amid the COVID-19 pandemic may be making it easier for hackers to find a way in.

The University of California, San Francisco paid a ransom of $1.14 million to hackers in June to recover data from its School of Medicine that had been encrypted in a cyberattack, the university announced Friday. The attack marked the third in a string of recent cyberattacks carried out against universities.

The prestigious medical school is among several universities to have been targeted by ransomware in recent months. ‘Netwalker’, the ransomware software responsible for the UCSF hack, was used to carry out similar attacks against Michigan State University and Columbia College, Chicago in late May and early June. Michigan State opted not to pay its ransom at the advice of law enforcement, which resulted in financial documents and personal information from the university being published online.

Carolyn Crandall, Chief Deception Officer at computer security service Attivo Networks, said the shift to remote work amid COVID-19 has made companies more vulnerable to cyberattacks — new weaknesses like the use of personal computers at home and the cost of guarding remote connections to sensitive corporate servers have only made it easier for hackers to infiltrate targets. A search on Twitter reveals numerous additional organizations that have purportedly been targeted by Netwalker, from a Long Beach country club to a healthcare provider in Philadelphia.

Crandall said that Attivo has observed an uptick in ransomware attacks in recent months among its clients that she fears could eventually lead to further high-profile breaches.

“I hope I’m wrong, that the shoe’s not about to drop, but I fear given what we know as security professionals that there is definitely an increased risk,” she said.

The hackers struck UCSF on June 1 with malware that encrypted data on some of the School of Medicine’s servers, rendering them inaccessible. The hackers demanded a ransom payment to release the data — a demand that UCSF begrudgingly met on June 6 after a day of negotiation on a dark-web website.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the university wrote in a press release. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

According to UCSF, the incident did not affect patient care delivery operations or research on COVID-19. The university is working with a “leading cybersecurity expert” to investigate the attack and expects to be able to restore the affected data soon.

Crandall said that companies are generally advised not to pay ransoms if targeted by ransomware attacks.

“Inherently, (paying) doesn’t guarantee the return of the data or that the decrypter (to recover files) is going to work,” Crandall said. “And there’s always a chance that even if you pay the first time, they may come back and hit you again.”

©2020 the Palo Alto Daily News (Menlo Park, Calif.) Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs