The attack encrypted data on the university’s School of Medicine servers, rendering it inaccessible. The hackers initially demanded $3 million, but the university got them to agree to a lower amount through negotiations on the dark web. After 116.4 bitcoins were transferred to the attackers’ electronic wallet, the university received a decryption tool that allowed them to unlock the data.
The Netwalker ransomware group is said to be behind the attack. Although the university did not specify which data was affected, they have said that they do not believe any patients’ medical records were exposed. They have also stated that the incident had no effect on patient care or work related to the fight against coronavirus.
The university is now working with the FBI to investigate the attack. The Netwalker group was also behind ransomware attacks on two other universities recently.
BBC News detailed the negotiations between the two parties. First, the university asked the hackers to give them more time and to remove details of the hacking from their public blog. After noting that the university makes billions in a year, the hackers demanded $3 million. However, a UCSF representative responded that the coronavirus pandemic had devastated the university financially and asked them to accept $780,000.
Following a day of negotiations, the university said they could come up with $1.02 million, but the hackers refused to drop below $1.5 million. A few hours later, the University made a final offer of $1.14 million.
A university spokesperson told BBC News: "The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
They added that not all of the statements made during the negotiations are factual.
In 2019, a similar attack was carried out against Regis University in Colorado. Their internet, website, email and phones were shut down as the attack was investigated and the threat was addressed. Although the attack is known to have involved ransomware, university officials have not acknowledged how much money they paid.
Meanwhile, last July, Monroe College was asked to pay a $2 million ransom to regain access to their emails, website and learning management system.
All three of these university attacks took place at a crucial time just ahead of the fall semester.
Cyber security experts told BBC News that these ransomware attacks and resulting negotiations are constantly going on around the world for huge sums, going against the advice of law enforcement agencies such as the FBI.
Paying hackers in a ransomware attack encourages them to carry out more attacks of the same type. If no one ever paid up, they would turn to other tactics. While no one would ever pay these ransoms in an ideal world, some organizations can find themselves in a difficult position when they need access to data, especially hospitals.
Of course, even after paying the demand, there is no guarantee that these criminals will actually delete all of the data they stole. In fact, it seems far more likely that they will hold onto it because they may be able to get more money out of it in the future. That's why it is so important to make sure all of your data is kept as secure as possible.
Sources for this article include: