An anonymous tip to BBC News let them watch in real-time as a US medical university attempted to negotiate with hackers who had infected its systems with ransomware.
The University of California San Francisco (UCSF) was attacked by the notorious NetWalker ransomware on Jun. 1.
A ransom demand by the gang ordered the university (dedicated to medical research) to a payment page on the Dark Web, where they found a FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), & the ability, just like so many legitimate websites, to have a live chat with a ‘support operator.’
Negotiating the safe recovery of your encrypted files is much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand, or publish stolen data onto the internet if time runs out!
6 hours later, the University of California San Francisco must have been very relieved to have been given more time, & also for news of this attack to be removed from NetWalker’s public website
However, the hackers asked for $3m, & were unimpressed when whoever was at the UCSF’s end asked them to accept $780,000 with the excuse of the “financially devastating” damage caused by the pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.
After what BBC News called a “day of back-and-forth negotiations,” the sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker Gang the following day, & the university got the decryption software required to recover its data.
Speaking to BBC News, UCSF explained why it had decided to ‘give-in’ to its digital extortionists:
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.
“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data & the return of the data they obtained.
“It would be a mistake to assume that all of the statements & claims made in the negotiations are factually accurate.”
“No-one likes the idea of cybercriminals making money out of successful ransomware attacks. Every time one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.
At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.”
The University is now assisting in the FBI’s investigation into this attack, & in restoring its affected systems.
A final thought – in whose interest is it in to tell BBC News about a ransomware negotiation as it happens?
As Mr. Spock from Star Trek often said…..fascinating!