Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
UCSF Med School Pays $1.1 Million Ransom
After Ransomware Attack, School Cites Need to Restore Data Related to 'Academic Work'The University of California San Francisco says it paid a $1.14 million ransom earlier this month to obtain decryptor keys to unlock several servers within its school of medicine that were struck with ransomware.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
UCSF says that despite being able to limit the damage inflicted during the attack, which took place on June 1 and was first reported by the university on June 3, the institution needed to pay a ransom to restore access to data used for “academic work” (see: Are Academic Healthcare Systems Top COVID-19 Attack Targets?).
The operators behind the Netwalker ransomware claimed credit for the attack, according to Bloomberg. A spokesperson for UCSF could not be immediately reached for comment on Monday.
"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained," UCSF says in its statement.
The FBI has repeatedly urged organizations not to pay ransoms because that encourages more cybercrime.
"If organizations keep on paying ransoms, we’ll end up with more motivated and better resourced criminals who are able to use those additional resources to ramp up their operations in terms of both scale and sophistication," Brett Callow, a threat analyst with Emsisoft, tells Information Security Media Group. “That means more victims, more ransoms paid and more investment."
Data Exfiltrated
The malicious actors were able to exfiltrate some data to help prove they were responsible for the attack, according to UCSF. University officials say the full extent of the data compromised is not known, but they do not believe patient data was involved. Also not affected, they say, were patient care operations, the overall campus network and research into COVID-19.
"While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible," UCSF reports "Since that time, we have been working with a leading cybersecurity consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses. We expect to fully restore the affected servers soon."
UCSF's statement did not contain any details regarding the type of ransomware involved nor whether the decryptor keys enabled the school to regain access to its files.
"Paying the ransom is always a business choice and in this case the university concluded that the data was worth much more than the ransom paid," says Chris Bates, vice president of security strategy at SentinelOne, a security software firm. "With that said, cybercriminals can smell blood in the water much like sharks. This can lead to a tendency to target people they know are likely vulnerable to cyberattacks and likely to pay."
Other Ransom Payments
In the last two years, New Bedford, Mass.; Riviera Beach and Lake City, Fla.; the Rockville Center, N.Y. School District; LaPorte County, Ind.; and Jackson County, Ga. have all opted to pay a ransom after a ransomware attack, with some noting that their cyber insurance would cover part of the cost (see: A Ransomware Tale: Mayor Describes City's Decisions).
Chris Pierson, CEO of cybersecurity firm BlackCloak , says that one way for organizations to avoid the dilemma of whether to pay a ransom is to create backup systems that can allow for the recovery of data.
"You can either ignore the risk, mitigate it or transfer the risk through insurance as well,” Pierson says. “So there is never a reason to be caught off guard, and it makes sense to broach this risk every quarter in your risk groups and to the board."
Emsisoft's Callow notes, however, that any ransom that is paid is likely to encourage other cybercriminals to continue to wage attacks (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
"It's a vicious circle," he says. "The only way to break that circle is to make ransomware attacks unprofitable, and that means organizations must stop paying ransoms. … Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."