University of California extorted for $1.14 million by cybercriminals

The University of California in San Francisco (UCSF) says it has paid cybercriminals $1.14 million (£1 million) to decrypt a “limited number of servers” in its School of Medicine, which was hit by ransomware this month.

In regards to the mass data breach of one of its departments, the university has stated in a press release that:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” it said in the statement.

“We therefore made the difficult decision to pay some portion of the ransom.”

The initial intrustion was detected in June and the hackers were halted midway through their raid on the University’s students and staff’s private information. Found to be using a malware known as Netwalker, the actors used the data that they sourced to force UCSF into ransomware negotiations, which ultimately followed with the announced payment.

In exchange, the university said it received a key to restore access to the files, and copies of the stolen documents. The university declined to say what was in the files that was worth more than $1 million, except that it didn’t believe patient medical records were exposed.

In response to the event, Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, has commented:

“The disclosed technical details of the attack are obscure and insufficient to derive definitive conclusions about the origins and nature of this exorbitant incident. In light of the well-known malware reportedly used in the attack, we may, however, assume that the attack exploited a lack of IT asset visibility, improperly implemented security monitoring or patch management.

She goes on to pinpoint, the ways that cybercriminals are using poorly secured technology to blackmail institutions.

“Public schools frequently save money on cybersecurity, trying to invest budgets into apparently more appealing areas to deliver more value for students and society. Unfortunately, the road to hell is paved with good intentions, and unscrupulous attackers readily exploit any inadequate resilience and unpreparedness to extort money. Covid-19 largely exacerbates the situation with the surge of shadow IT, abandoned servers and unprotected applications serving as an easy entry point into disrupted organizations.

Crypto currencies turn cyber extortion and racketeering into a highly profitable and riskless business given that in most cases the attackers are technically untraceable and thus enjoy impunity. We will likely see a steady growth of ransomware hacking campaigns targeting the public sector in 2020.”