It has been reported by CBS San Francisco that the UCSF IT staff first detected the security incident by stating that the attack launched by the NetWalker group affected “a limited number of servers in the School of Medicine.”
As the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully.
A statement published by the University of California said:
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. […] We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
Likewise, BBC News revealed that a covert negotiation between the UCSF officials and the gang took place, but did not end successfully.
As per the report, the university’s officials first asked to reduce the ransom payment amount to $780,000, but the hackers rejected the offer by stating that if they accepted the reduced amount, it would be as if they had “worked for nothing.”
NetWalker warned that they will only accept $1.5 million, and “everyone will sleep well.” Hours later, the UCSF staff asked for the steps to follow to send the payment and put a final offer of $1,140,895, which was accepted by the hackers.
However, the university’s staff then proceeded to send 116.4 Bitcoin (BTC) the next day to the ransomers’ wallets and received the decryption software.
Brett Callow, the threat analyst and ransomware expert at malware lab Emsisoft, commented:
“While public and private sector entities in the U.S., Europe and Australasia are the most common targets for ransomware groups, entities in other countries are frequently targeted too. And as ransomware attacks are now data breaches, the risks associated with these incidents are greater than ever — both to the targeted organizations and to their customers and business partners.”
Thus, Callow added that companies can minimize the likelihood of being successfully attacked by “adhering to security best practices, locking down RDP, using multi-factor authentication everywhere it can be used, disabling PowerShell when not needed, etc.”