View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

University of California: We Paid Cybercriminals a £1 Million Ransom

Data encrypted was "important... to the public good."

By CBR Staff Writer

The University of California, San Francisco (UCSF) says it paid cybercriminals $1.14 million (£1 million) to decrypt a “limited number of servers” in its School of Medicine that were hit by ransomware this month.

The University said that data encrypted in the attack (earlier attributed to the Netwalker ransomware family) was “important to some of the academic work we pursue as a university serving the public good.

It added: “We therefore made the difficult decision to pay… for a tool to unlock the encrypted data and the return of the data they obtained.”

The University – which has 10 campuses around California —  was hit by the ransomware attack on June 1. It said that it had “successfully isolated the incident from the core UCSF network… We believe that the malware encrypted our servers opportunistically, with no particular area being targeted.”

This University, which had an operating budget of $39.8 billion in 2019-20, was earlier reported by Bloomberg to be conducting clinical trials of potential COVID-19 treatments, as well as coronavirus antibody testing. It was not immediately clear if servers relating to this work were hit in the attack.

It isn’t entirely clear how the threat actors behind the Netwalker ransomware campaign gain an initial foothold into the networks they target, says Sophos, which “stumbled upon” a cache of tools used by the cybercriminals in late May. The British security firm added: “There are hints they take advantage of well-known, heavily publicized vulnerabilities in widely used, outdated server software (such as Tomcat or Weblogic) or weak RDP passwords.”

University of California ransom

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Sophos notes the Netwalker group’s use of a “comprehensive set of tools used to perform reconnaissance on targeted networks; privilege-elevation and other exploits… and utilities that can steal, sniff, or brute-force their way to valuable information (including Mimikatz, and variants called Mimidogz and Mimikittenz, designed around avoiding detection by endpoint security).”

In an archive of tools left on a server used by the group, Sophos also found a “number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools”.

It is unusual for an organisation to publicly admit paying a ransom. Security professionals typically warn that it can expose institutions to further attacks.

The UCSF said: “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates.

“We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share.”

See also: Grasping at Thin Air? Can Ransomware Criminals Actually *Be* Caught?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.