UCSF pays hackers $1.1M to regain access to medical school servers

Hackers extorted more than $1 million from the University of California, San Francisco (UCSF) after hitting its medical school servers with ransomware.

On June 3, UCSF IT staff detected a security incident that occurred in a limited part of the UCSF School of Medicine’s IT environment a few days earlier, the organization said in a statement on its website.

Friday, the organization posted an update that it negotiated with the hackers to pay a portion of the ransom to regain access to the medical school servers.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained," UCSF officials said.

BBC News cyberreporter Joe Tidy reported that the medical research institution was working on COVID-19-related research.

In its online statement, UCSF said the incident did not affect UCSF's patient care delivery operations, overall campus network or COVID-19 work.

RELATED: Alabama health system pays hackers responsible for ransomware attack as FBI warns more to come

"This incident reflects the growing use of malware by cyber-criminals around the world seeking monetary gain, including several recent attacks on institutions of higher education," UCSF said in the statement.

The institution continues to cooperate with law enforcement.

'We appreciate everyone’s understanding that we are limited in what we can share while we continue with our investigation," the organization said.

Here's what happened

SC Media reported that UCSF was targeted by the NetWalker (aka MailTo) ransomware group, as evidenced by a post on the cybergang’s data leak website.

These ransomware operators not only encrypt their targets’ files but also publish stolen files on a piecemeal basis unless and until the victim pays up, SC Media said.

BBC also reported that the organization was hit by Netwalker hackers.

Healthcare organizations have been a prime target for NetWalker through the pandemic. The hacking group was behind the ransomware attack on the website of Champaign-Urbana Public Health District in Illinois in March.

In May, the cybercriminal group also announced it infected the network of Michigan State University.

Proofpoint cybersecurity analysts have seen an uptick in ransomware emails using a variety of phishing lures, including fake COVID-19 tests, targeting industries in the U.S., France, Germany, Greece and Italy.

Between June 4-10, researchers saw more than 1 million ransomware messages from hackers using tools that can gain access to systems via a single download, according to a Proofpoint report.

RELATED: HHS cyberattack highlights how hackers are exploiting the pandemic. Here are 4 strategies to mitigate the risks

When UCSF IT leaders detected the ransomware attack, they quarantined several IT systems within the medical school as a safety measure and successfully isolated the incident from the core UCSF network, the organization said.

"While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible," UCSF said.

The organization began working with a cybersecurity consultant and other outside experts to investigate the incident and took steps to reinforce its IT systems’ defenses.

At one point, UCSF said it expected to "fully restore the affected servers soon."

BBC News reported that an anonymous tipoff enabled reporters to follow the ransom negotiations in a live chat on the dark web.

Cybersecurity experts say these sorts of negotiations are now happening all over the world—sometimes for even larger sums—against the advice of law enforcement agencies including the FBI, Europol and the U.K.'s National Cyber Security Centre, BBC News reported.

As the investigation at UCSF continued, IT security leaders realized the malware encrypted its servers "opportunistically, with no particular area being targeted," the organization said in its statement.

"The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed," UCSF said.

BBC News reported that the Netwalker group's dark-web homepage looks like a standard customer service website, with an FAQ tab, an offer of a "free" sample of its software and a live-chat option.

But there is also a countdown timer ticking down to a time when the hackers either double the price of their ransom or delete the data they have scrambled with malware, BBC News reported.

On June 5, the university asked for more time and for details of the hack to be removed from Netwalker's public blog, according to BBC News.

Noting UCSF made billions a year, the hackers then demanded $3 million.

"But the UCSF representative, who may be an external specialist negotiator, explained the coronavirus pandemic had been 'financially devastating' for the university and begged them to accept $780,000," BBC News reported.

RELATED: Hackers using fake HIV test results, coronavirus emails to target healthcare companies

The negotiations continued, and UCSF eventually paid a $1.14 million ransom.

In a statement to BBC News, the university said "it would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate."

In October, the FBI warned that ransomware attacks are becoming "more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent."

The FBI does not advocate paying a ransom, the agency said, "in part because it does not guarantee an organization will regain access to its data." In some cases, victims who paid a ransom were never provided with decryption keys.

Organizations are encouraged to regularly back up their data offline.

Many security firms offer free resources and decryption tools for different ransomware strains. Emsisoft provides an ID Ransomware tool to help identify what strain of ransomware organizations are facing as well as other decryption tools.

A public-private partnership between law enforcement and IT security companies called No More Ransom is helping ransomware victims recover their files rather than giving in to hackers' demands.