UC San Francisco pays $1.14 million for ransomware decryptor

The University of California San Francisco (UCSF) says that it paid $1.14 million to the Netwalker ransomware operators who successfully breached the UCSF School of Medicine’s IT network, stealing data and encrypting systems.

UCSF is a research university focused on health sciences and involved in COVID-19 research, ranked as #2 in medical schools for research and #6 in best medical schools for primary care based on U.S. News & World Report's college rankings.

On June 3, Netwalker said in a post published on its data leak site that it hacked into UCSF's network, publishing some of the stolen files during the breach, including student applications with social security numbers, and folder listings appearing to contain employee information, medical studies, and financials.

Attack stopped in its tracks, some systems still got encrypted

UCSF now has confirmed that Netwalker's ransomware attack was at least partially successful since the threat actors were able to encrypt data on some School of Medicine systems.

"As we disclosed on June 3, UCSF IT staff detected a security incident that occurred in a limited part of the UCSF School of Medicine’s IT environment on June 1," the announcement says.

"We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work."

The university says that the ongoing investigation hasn't discovered any hints pointing at patient medical records having been exposed during the incident.

Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work. - UCSF

Despite this, UCSF says that it has decided to pay the Netwalker operators roughly $1.14 million to make sure that they have the proper tools do decrypt the academic work encrypted during the attack and to have the stolen data returned.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good," UCSF added.

"We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF had multiple servers vulnerable to CVE-2019-19781 between December 17, 2019 and January 11, 2020.https://t.co/13NX8TdPl9https://t.co/wdQnjiSmauhttps://t.co/XyrfROQ67ahttps://t.co/GEWqO2jD3Fhttps://t.co/K1aJJAc9eZ https://t.co/M5d1aGqbVL

— Bad Packets (@bad_packets) June 3, 2020

Universities and enterprises under fire

USCF is one in a series of universities that fell victim to ransomware attacks in the last few months, with Michigan State University's (MSU) network having been breached and encrypted on May 28th according to the Netwalker operators.

Since then, all the data stolen in the MSU attack got leaked since the university refused to pay the ransom.

Natwalker also claims to have encrypted the systems of Columbia College of Chicago, again threatening to publish the data on its data leak site if the ransom is not paid.

When first released towards the end of 2019, this ransomware was referred to as Mailto. This year it was discovered that its actual name is Netwalker is a ransomware-as-a-service (RaaS) operation used by affiliates in attacks targeting vulnerable Remote Desktop Services.

This RaaS operation is also focused on compromising enterprise networks to be able to ask for larger ransoms and for the leverage provided by stolen corporate data.

Netwalker has slowly and steadily made a name for itself after announcing a constant stream of successful attacks, including one against Australian transportation company Toll Group, Asia Pacific's leading provider of logistics services, with 44,000 employees in 1,200 locations in over 50 countries.