Hackers used ransomware to take over parts of UC San Francisco’s network and extorted $1.14million in exchange for returning access to their files
- University of California San Francisco lost control of some of its files in a hack
- Ransomware was used to encrypt files and UCSF agreed to pay for their return
- UCSF hasn’t said what files were affected nor how the ransomware entered the system, but the FBI has opened an investigation into the incident
Hackers successfully extorted $1.14million from the University of California San Francisco after breaching its internal networks with malicious ransomware.
The attack was organized by the Netwalker gang, a hacker group that uses ransomware of the same name, who gained access to UCSF’s protected files in early June.
After extended negotiation with the hackers, UCSF management agreed to pay the hackers 116.4 bitcoins, or $1,140,895, in exchange for their files being returned.
The FBI is currently investigating the attack, and UCSF management have not disclosed how the hackers introduced the ransomware to their network nor described what specific files were affected.
Hackers targeted University of San Francisco with a ransomeware attack in early June, locking the staff out of several key files on their network
‘The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,’ a UCSF spokesperson told the BBC.
‘We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.’
The Netwalker gang has previously attacked a number of other institutions with ransomware, including parts of a local Austrian city government network, Michigan State University servers, and the Champaign-Urbana Public Health District in Illinois, among several others.
Once installed on a computer, ransomware uses a private encryption program to lock a user out of their own files, then demand a fee in exchange for the return of the files.
In the UCSF hack, the Netwalker gang programmed a fake customer service page that offered to sell a decrypter program that would return the files while a built-in timer counted down.
The page said that the price of the decrypter program would double every time the timer reached zero.
UCSF staff have not said what files were affected, nor how the ransomware first entered their systems, but the FBI has opened an investigation into the matter
A negotiator representing UCSF communicated with a Netwalker hacker through a chat window connected to this order form, and a live log of their chats was broadcast on the dark web.
In the chat, the hackers claimed UCSF made ‘4-5 billions per year’ and demanded $3million to release the locked files.
The UCSF negotiator offered $780,000, and after several hours of back and forth, they reached a compromise of $1.14million.
Cybersecurity experts have suggested the recent widespread shift to remote working has left a number of organizations newly vulnerable to hackers.
Cybersecurity experts point to the rise in people working from home during COVID-19 as a major security issue that has created new opportunities for hackers
According to Bill Conner of the cybersecurity firm SonicWall, the combination of remote internet connections and less secure personal computers has introduced several new openings that could be targeted.
‘In most cases, these are not brand new exploits, [hackers] are not creating new malware,’ Conner told the San Jose Mercury News. ‘They’re just attacking more vulnerable areas.’
‘There’s more easy access from home than there was in a building, because you have multiple layers of security in your office.’