Late last week, San Francisco University of California (UCSF) announced it paid nearly $1.14 million to cyber criminals to retrieve stolen data after a ransomware attack earlier this month.
The incident occurred on June 1 and UCSF said it was able to control it quickly after detection, but not before it had compromised other systems.
IT systems were quarantined inside the School of Medicine to contain the attack, and the main USCF network was not compromised, the University said. Operations for patient care delivery, COVID-19 research, and the campus network were not affected either.
“Although we stopped the attack as it happened, the attackers launched malware that encrypted a small number of servers inside the Medical School, rendering them temporarily unavailable,” says UCSF.
The university says it doesn’t think the attackers targeted individual servers within their network, but “opportunistically” encrypted them. It’s hoped that the compromised servers will be fully restored shortly.
“The attackers collected some data as evidence of their operation, to use it for a ransom payment in their claim. We are continuing our investigation but at the moment we do not feel that patient medical records have been released, “says the university.
UCSF also states that the encrypted data was part of academic research during the attack. Because of the value of the data, the university agreed to pay “any portion of the ransom, roughly $1.14 million,” for a decryption device that would allow data to be recovered.
The university has yet to provide information about how the network was compromised by the attackers. The attack is suspected to have been carried out by the NetWalker Ransomware operators.
As Carl Wearn, head of e-crime at Mimecast, pointed out in an emailed statement, victims are told never to pay the ransom, because there is no assurance that they will get their data back. In fact, paying is an opportunity for cyber offenders to continue to participate in similar assaults, as it is deemed financially feasible to pay victims.
“If companies are to substantially reduce ransomware risks, unnetworked backups and a fallback email and archiving mechanism need to become standard security steps. Individual users can also be of great benefit by being aware of the potential for unsafe attachments, but should also be vigilant to click any email links received in any correspondence, as criminals are increasingly using URL links instead of file-based attachments to infect networks, “Wearn continued.