University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'

Publicity-hungry crims find new way of pressuring victims

A California university which is dedicated solely to public health research has paid a $1.14m ransom to a criminal gang in the hopes of regaining access to its data.

The University of California San Francisco (UCSF) paid out in the apparently successful hope that the Netwalker group would send it a decryption utility for its illicitly encrypted files, which it referred to as "data ... important to some of the academic work we pursue as a university serving the public good".

A negotiator acting on behalf of UCSF was said to have opened the bidding for the decryptor at $780,000, according to the BBC which claimed that an "anonymous tipoff" allowed it to "follow the ransom negotiations in a live chat on the dark web".

Maze ransomware gang threatens to publish sensitive stolen data after US aerospace biz sensibly refuses to pay


UCSF said miscreants had "encrypted a limited number of servers within the School of Medicine" - on 1 June - and said on Friday that it was working with outside experts to "fully restore the affected servers". While the university is carrying out research on COVID-19, it said in a public statement that the attack did not affect that.

It also noted that patient medical records and patient care were not affected - the university has a teaching hospital attached, the San Francisco Medical Center.

Infosec researcher Brett Callow of threat intel biz Emsisoft told The Register that Netwalker is one of the gangs that did not join a previous underworld declaration by more "ethical" criminals who promised to avoid attacking institutions fighting the coronavirus pandemic.

The Register has asked UCSF for comment about the ransom payments as well as about its data backup processes.

Sophos published a blog post a few weeks ago going into depth about Netwalker's tactics and tools.

Britain's state-owned broadcaster also published what it said were extracts of live chat messages posted by the criminals as they negotiated with UCSF over the ransom. Using news media attention as a means of increasing pressure on victims to pay up is an increasingly popular tactic among ransomware gangs.

Some have even established clearnet and darknet blogs where they post snippets of leaked data and rant about uncooperative victims, in the hope of attracting journalists' attention and headlines that put the spotlight on victims and pressure others into paying.

British government advice, increasingly echoed around the world, is not to pay ransoms. There's no guarantee that criminals will stick by their word and, indeed, there is every incentive for them to score a payout from desperate victims and then auction off stolen data regardless of promises not to do so. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022