California university pays hackers $ 1.14 million to recover data

Cette université californienne paye 1,14 million de dollars aux pirates informatiques pour récupérer ses données Cybersecurity

. Malware was discovered in the computer systems of the UCSF medical school. Administrators quickly attempted to isolate the infection and protect a number of systems, which prevented ransomware from spreading to the UCSF core network and causing further damage.

Although the school claims that the cyber attack did not affect “our patient care services, the global campus network or work on COVID-19”, the UCSF servers used by the medical school have been encrypted.

This type of ransom note can be particularly destructive because once a system is compromised, the content is encrypted and made inaccessible. Victims are then faced with a choice: potentially losing their files, or paying a ransom note. Cyber ​​attackers often set a deadline before increasing the pressure by requesting additional payments.

“We do not currently believe that the medical records of the patients have been exposed”

And as this case shows, requests for blackmail can reach millions of dollars. “The attackers showed certain data as proof of their action, and used it in their request for payment of a ransom,” the university said in a statement. “We are continuing our investigation, but we do not believe at this time that the medical records of the patients have been exposed.”

It is not recommended that victims give in to ransom demands, as this favors criminal enterprises. However, the UCSF said it had made “the difficult decision to pay part of the ransom” because some of the information stored on the servers is “important for certain academic work that we do”.

The pirate gang Netwalker is said to be responsible for the operation. The BBC was able to follow the negotiations, done on the darknet, between Netwalker and the university. The ransom workers first asked for $ 3 million, to which the UCSF responded with an offer of $ 780,000, arguing that the new coronavirus pandemic had been “financially devastating” for the university institution.

In the first quarter of 2020, the average amount of the ransom for
businesses rose to 111,605 dollars, an increase of 33%

This offer was rejected, however, and a back-and-forth eventually resulted in the agreed figure of $ 1,140,895. A payment made in Bitcoin (BTC). In exchange for payment, the ransomware writers provided a decryption tool and declared that they would delete the stolen data from the servers.

According to a recent Coveware report, during the first quarter of 2020, hackers took advantage of the economic and professional disruption caused by the COVID-19 epidemic. The corporate network configurations in “work at home” mode led to an increase in ransomware.

Above all, in the first quarter of 2020, the average amount of ransom for businesses rose to 111,605 dollars, an increase of 33% compared to the fourth quarter of 2019. Ransom payments for large businesses are a minority in volume (on the total amount of money collected, all operations combined, but the size of the payments significantly increased the average ransom payment, while the median ransom remained relatively stable at $ 44,021.

Netwalker targets systems through known vulnerabilities and
public or brute force attacks

According to SophosLabs, the Netwalker toolkit is very complete and includes the Netwalker, Zeppelin and Smaug ransomware, Windows recognition tools and brute force attack software.

Researchers say this group tends to focus on large organizations rather than individual targets. In past attacks, Netwalker has targeted systems through known and public vulnerabilities or by brute force attacks on machines with remote desktop services enabled.

The UCSF has engaged cybersecurity consultants to investigate the incident and is currently working with the FBI. At the time of this writing, the servers are still down. “We continue to cooperate with law enforcement, and we appreciate that everyone understands that we are limited in what we can share while we continue our investigation,” added the university.


Rate article