UCSF Pays $1.14M to NetWalker Hackers After Ransomware Attack

June 29, 2020 - The University of California San Francisco recently paid a $1.14 million ransom demand, after NetWalker threat actors infected several servers of its School of Medicine with ransomware, first reported by Bloomberg.

The NetWalker threat actors have followed the path of the notorious Maze ransomware hacking group. Hackers first gain a foothold onto victims’ networks, moving laterally across the network through vulnerable devices, then steal any valuable information before they launch the ransomware payload.

Researchers recently warned NetWalker has since expanded operations to a Ransomware-as-a-Service (RaaS) model to partner with other seasoned cybercriminals, as well as targeting the healthcare sector amid the COVID-19 pandemic. The Champaign-Urbana Public Health District in Illinois fell victim to NetWalker ransomware in March.

UCSF is leading the COVID-19 response, working with other researchers on antibody testing and clinical trials.

NetWalker first posted the data they allegedly stole from UCSF to their dark web blog during the first week of June. The posting contained apparent screenshots with files allegedly stolen from UCSF, with references to the US Centers for Disease Control and Prevention and UCSF departments tied to COVID-19 research.

At the time, officials reported they had experienced an IT intrusion on some IT systems but declined to comment further on those ransomware reports. In a statement issued on June 26, UCSF officials confirmed the NetWalker ransomware attack and payment of the ransom demand.

The ransom payment was made as the impacted data was important to “serving the public good.” The university only paid a portion of the demand, in exchange for a tool to unlock the encrypted data and for the hackers to return the data they stole.

According to the statement, the cyberattack was detected in a limited portion of the UCSF School of Medicine’s IT environment on June 1. The impacted systems were quarantined from the network, which officials said successfully isolated the incident.

Officials stressed that patient care delivery operations, the campus network, and COVID-19 work were not affected by the attack. The ransomware did, however, render a number of servers in the affected environment temporarily inaccessible.

UCSF has been working with a third-party cybersecurity consultant and other outside experts on its investigation and to harden its security defenses. The affected servers are expected to be fully restored soon.

While the investigation is ongoing, officials said they believe the attack was opportunistic rather than targeted.

“The attackers obtained some data as proof of their action, to use in their demand for a ransom payment,” officials said in a statement. “We are continuing our investigation, but we do not currently believe patient medical records were exposed.”

“This incident reflects the growing use of malware by cybercriminals around the world seeking monetary gain, including several recent attacks on institutions of higher education,” they added. “We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share while we continue with our investigation.”

While difficult, the FBI and a host of security researchers have repeatedly warned against paying ransomware demands for several reasons. In particular, the FBI warned that it doesn’t guarantee the return of data or that the decryptor will work, while those payments also fuel further ransomware attacks on both the victim organization and the overall ransomware business model.

However, the agency stressed that at times when faced with “an inability to function,” payment might be the only option, and victims should first evaluate all options to protect shareholders and other impacted parties.

Although, a recent Sophos report suggested that paying the ransom can actually double ransomware recovery costs.