The University Of California San Francisco finally confirmed that it had forked over $1.14m to ransomware thieves last week, less than a month after discovering that critical academic data related to its COVID-19 research had been encrypted.
The university said in a statement on Friday that it had detected a security incident affecting some of its School of Medicine servers on June 1. It had quarantined the affected IT systems at the time. The attackers managed to encrypt some of the university’s systems with ransomware and demanded a payment. Although the university believed that no patient’s medical records were affected, the data was important enough that it was forced to play ball with the criminals. It said:
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
UCSF was one of three higher education establishments to be targeted in a single week at the start of June by the Netwalker ransomware gang.
The BBC received a tip that enabled it to drop in on a chat session between UCSF and the criminal gang on the dark web. According to the chat transcript, Netwalker originally asked for a $3m ransom, but UCSF countered, asking them to accept $780,000. The two parties kept haggling, until they agreed on a final sum of $1,140,895. That equated to 116.4 bitcoins, which the university transferred the following day.
Universities are difficult places to protect because the networks are vast and geared toward open information sharing. In September 2019, the UK’s National Cybersecurity Center reported that UK universities were at particular risk from nation-state attacks, although most fail to pay much attention. In May last year, Moody’s Investors Service warned that universities have numerous campuses and thousands of students along with budgetary constraints, making their cybersecurity effort especially difficult. Its research, sponsored by IBM Security, revealed 101 confirmed data disclosures at US universities in 2017, up from just 15 in 2014.