Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

UCSF Med School Pays $1.1 Million Ransom

After Ransomware Attack, School Cites Need to Restore Data Related to 'Academic Work'
UCSF Med School Pays $1.1 Million Ransom

The University of California San Francisco says it paid a $1.14 million ransom earlier this month to obtain decryptor keys to unlock several servers within its school of medicine that were struck with ransomware.

See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience

UCSF says that despite being able to limit the damage inflicted during the attack, which took place on June 1 and was first reported by the university on June 3, the institution needed to pay a ransom to restore access to data used for “academic work” (see: Are Academic Healthcare Systems Top COVID-19 Attack Targets?).

The operators behind the Netwalker ransomware claimed credit for the attack, according to Bloomberg. A spokesperson for UCSF could not be immediately reached for comment on Monday.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained," UCSF says in its statement.

The FBI has repeatedly urged organizations not to pay ransoms because that encourages more cybercrime.

"If organizations keep on paying ransoms, we’ll end up with more motivated and better resourced criminals who are able to use those additional resources to ramp up their operations in terms of both scale and sophistication," Brett Callow, a threat analyst with Emsisoft, tells Information Security Media Group. “That means more victims, more ransoms paid and more investment."

Data Exfiltrated

The malicious actors were able to exfiltrate some data to help prove they were responsible for the attack, according to UCSF. University officials say the full extent of the data compromised is not known, but they do not believe patient data was involved. Also not affected, they say, were patient care operations, the overall campus network and research into COVID-19.

"While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible," UCSF reports "Since that time, we have been working with a leading cybersecurity consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses. We expect to fully restore the affected servers soon."

UCSF's statement did not contain any details regarding the type of ransomware involved nor whether the decryptor keys enabled the school to regain access to its files.

"Paying the ransom is always a business choice and in this case the university concluded that the data was worth much more than the ransom paid," says Chris Bates, vice president of security strategy at SentinelOne, a security software firm. "With that said, cybercriminals can smell blood in the water much like sharks. This can lead to a tendency to target people they know are likely vulnerable to cyberattacks and likely to pay."

Other Ransom Payments

In the last two years, New Bedford, Mass.; Riviera Beach and Lake City, Fla.; the Rockville Center, N.Y. School District; LaPorte County, Ind.; and Jackson County, Ga. have all opted to pay a ransom after a ransomware attack, with some noting that their cyber insurance would cover part of the cost (see: A Ransomware Tale: Mayor Describes City's Decisions).

Chris Pierson, CEO of cybersecurity firm BlackCloak , says that one way for organizations to avoid the dilemma of whether to pay a ransom is to create backup systems that can allow for the recovery of data.

"You can either ignore the risk, mitigate it or transfer the risk through insurance as well,” Pierson says. “So there is never a reason to be caught off guard, and it makes sense to broach this risk every quarter in your risk groups and to the board."

Emsisoft's Callow notes, however, that any ransom that is paid is likely to encourage other cybercriminals to continue to wage attacks (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).

"It's a vicious circle," he says. "The only way to break that circle is to make ransomware attacks unprofitable, and that means organizations must stop paying ransoms. … Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.