University of California San Francisco made a ransom payment worth $1.14 million to the NetWalker ransomware gang to resolve an attack on its School of Medicine servers that resulted in the encryption of data. The attack happened on June 1, 2020. UCSF singled out the impacted servers, however, it did not avert file encryption.
UCSF School of Medicine is involved in research to discover a COVID-19 cure and the university is seriously engaged in antibody tests. The ransomware attack did not hinder COVID-19 related work nor patient care delivery procedures. UCSF is convinced that the attackers did not get access to patient information, though certain files were compromised during the attack.
The encrypted information was important to the university’s research. Since file recovery using backups was not possible, UCSF had to make a deal with the attackers to pay roughly $1.14 million ransom in exchange for the decryption of data and to get back of the data they stole.
The BBC got a nameless tip-off regarding the negotiators and the NetWalker ransomware operators’ live chat on the dark web. Based on the report, the attackers posted a sample of the stolen data online. However, after UCSF contacted the attackers via email, the data was removed online to give way to the negotiation. At first, UCSF offered a ransom payment of $780,000, however, the NetWalker group demanded $3 million. Later, the two agreed on the payment of 116.4 Bitcoin or $1,140,895.
UCSF explained on its website that the ransomware attack investigation seems to indicate that the target of the attack was not UCSF nor the School of Medicine. The investigators think that the malware encryption of the servers happened opportunistically. No specific area was targeted. UCSF reported the attack to the FBI and is helping with the investigation.
The Netwalker ransomware attacked three Universities in the U.S.A., including UCSF, in the period of one week in June. The other universities attacked were Columbia College, Chicago and Michigan State University. The stolen Columbia College data posted on the Netwalker website is now gone, which means the college paid the ransom as well.