This article is more than 1 year old

University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'

Publicity-hungry crims find new way of pressuring victims

A California university which is dedicated solely to public health research has paid a $1.14m ransom to a criminal gang in the hopes of regaining access to its data.

The University of California San Francisco (UCSF) paid out in the apparently successful hope that the Netwalker group would send it a decryption utility for its illicitly encrypted files, which it referred to as "data ... important to some of the academic work we pursue as a university serving the public good".

A negotiator acting on behalf of UCSF was said to have opened the bidding for the decryptor at $780,000, according to the BBC which claimed that an "anonymous tipoff" allowed it to "follow the ransom negotiations in a live chat on the dark web".

Maze ransomware gang threatens to publish sensitive stolen data after US aerospace biz sensibly refuses to pay


UCSF said miscreants had "encrypted a limited number of servers within the School of Medicine" - on 1 June - and said on Friday that it was working with outside experts to "fully restore the affected servers". While the university is carrying out research on COVID-19, it said in a public statement that the attack did not affect that.

It also noted that patient medical records and patient care were not affected - the university has a teaching hospital attached, the San Francisco Medical Center.

Infosec researcher Brett Callow of threat intel biz Emsisoft told The Register that Netwalker is one of the gangs that did not join a previous underworld declaration by more "ethical" criminals who promised to avoid attacking institutions fighting the coronavirus pandemic.

The Register has asked UCSF for comment about the ransom payments as well as about its data backup processes.

Sophos published a blog post a few weeks ago going into depth about Netwalker's tactics and tools.

Britain's state-owned broadcaster also published what it said were extracts of live chat messages posted by the criminals as they negotiated with UCSF over the ransom. Using news media attention as a means of increasing pressure on victims to pay up is an increasingly popular tactic among ransomware gangs.

Some have even established clearnet and darknet blogs where they post snippets of leaked data and rant about uncooperative victims, in the hope of attracting journalists' attention and headlines that put the spotlight on victims and pressure others into paying.

British government advice, increasingly echoed around the world, is not to pay ransoms. There's no guarantee that criminals will stick by their word and, indeed, there is every incentive for them to score a payout from desperate victims and then auction off stolen data regardless of promises not to do so. ®

More about

More about

More about


Send us news

Other stories you might like