The University of California San Francisco paid about $1.14 million to ransomware operators earlier this month after its malware compromised several important servers in the UCSF School of Medicine and encrypted them to prevent access, UCSF administrators stated on June 26.
The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago. UCSF, which has pursued a substantial amount of research on coronavirus and COVID-19, stated that the attacks had not affected that research, nor had an impact on the operations of its medical center and patient care.
However, the ransomware had affected "a limited number of servers" in the medical school, the university said in a statement.
"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good," the statement said. "We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."
UCSF's information technology department caught the attack in progress and "quarantined several IT systems within the School of Medicine as a safety measure," preventing the attack from reaching the "core UCSF network," the university said in the June 26 statement.
The attack and its million-dollar consequences show that organizations must be able to recognize attacks and stop them much quicker, says Marcus Fowler, director of strategic threat at Darktrace, a threat protection firm.
"I think with ransomware, speed and visibility is going to be the key," he says. "They are running around and unplugging machines to manage the bleeding, rather than focusing on what happened."
NetWalker started attacking organization in 2019, focusing on large, global entities, according to cybersecurity firm SentinelOne. The group uses many generic system tools and tends to focus on so-called "living off the land" tactics, where the attackers try to only use utilities already present on the system to avoid being detected when installing malware, Jim Walter, a senior threat researcher at SentinelOne, wrote in a blog post on the group.
In February, the group attacked the Toll Group, an Australian shipping and logistics firm, causing disruptions to the company's operations and customers, according to media reports. In March 2020, the NetWalker group infected multiple hospitals in Spain, luring victims into opening malicious PDF documents that promised updated information on COVID-19. The latter incident, along with the attack on UCSF, highlights that cybercriminal groups — which had pledged to refrain from attacking hospitals and medical-research facilities during the coronavirus pandemic — cannot be trusted to forgo profits.
NetWalker, in particular, appears to be attacking with abandon — and leaking data, if the organization does not pay, Walter says.
"Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure," he wrote in the blog post. "Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure."
BBC News managed to get a fly-on-the-wall view of the negotiation between UCSF and the NetWalker criminal group — a negotiation that started at $3 million. After some back and forth, the two parties negotiated to 116.4 Bitcoins, or $1.14 million, which the school paid.
The school notified the FBI and are cooperating with their investigation. The university does not believe that any sensitive medical information had been exposed by the attack.
"Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted," USCF stated in its statement. "The attackers obtained some data as proof of their action, to use in their demand for a ransom payment."
The school declined to offer additional details, citing the ongoing federal investigation.
"In order to preserve the integrity of the investigation, we are limited in what we can share at this time and appreciate everyone's patience as we resolve this situation," UCSF said in its June 17 statement.