A major medical research institute working on a cure for Covid-19 has admitted to paying hackers a ransom of $ 1.14 million (£ 910,000) after a secret negotiation testified by BBC News.
The criminal gang Netwalker attacked the University of California in San Francisco (UCSF) on June 1st.
IT staff unplugged computers in a rush to stop the spread of malware.
And an anonymous suggestion allowed BBC News to follow the ransom talks in a live chat on the dark web.
Cyber security experts say that this type of negotiation is taking place all over the world – sometimes for even greater amounts – against the opinion of law enforcement officials, including the FBI, Europol and the National Cyber Security Center. of the United Kingdom.
Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months.
At first glance, its dark-web web page looks like a normal customer support website, with a FAQ tab, an offer of a “free” sample of its software and a live chat option. .
But there is also a countdown that goes to a time when hackers double the price of their ransom or delete the data they have encrypted with malware.
You are asked to log in – via email or a ransom note left on the screens of compromised computers – UCSF received the following message, published on June 5.
Six hours later, the university asked for more time and details of the hacking to be removed from Netwalker’s public blog.
Noting that the UCSF earned billions a year, hackers claimed $ 3 million
But the UCSF representative, who may be an external specialist negotiator, explained that the coronavirus pandemic has been “financially devastating” for the university and has implored them to accept $ 780,000.
After a day of back and forth negotiations, the UCSF said it had put together all the money available and could pay $ 1.02 million, but the criminals refused to drop below $ 1.5 million.
Hours later, the university came back with details of how it had raised the most money and a final offer of $ 1,140,895.
And the next day, 116.4 bitcoins were transferred to Netwalker’s electronic wallets and the decryption software sent to UCSF.
The UCSF is now assisting the FBI in its investigations as it works to restore all affected systems.
He told BBC News: “Encrypted data is important for some of the academic activities we pursue as a university serving the public good.
“We then made the difficult decision to pay a portion of the ransom, around $ 1.14 million, to the people behind the malware attack in exchange for a tool to unlock the encrypted data and return the obtained data.
“It would be a mistake to assume that all statements and statements made in the negotiations are actually accurate.”
But Europol’s Jan Op Gen Oorth, who runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.
“Instead, they should report it to the police so that law enforcement officers can stop the criminal enterprise.”
Brett Callow, threat analyst at the cybersecurity company Emsisoft, said: “Organizations in this situation don’t have a good option.
“Even if they pay the application, they will simply receive a pinky promise that the stolen data will be deleted.
“But why would a ruthless criminal firm erase the data it might be able to monetize further later?”
Most ransomware attacks start with emaiI trapped in the boobs and research suggests that criminal gangs are increasingly using tools that can access systems via a single download. In the first week of this month alone, Proofpoint cyber security analysts say they have seen more than a million emails using a variety of phishing baits, including fake Covid-19 test results, sent to organizations in the United States. , France, Germany, Greece and Italy.
Organizations are encouraged to regularly back up their data offline.
But Ryan Kalember of Proofpoint said, “Universities can be difficult environments for IT administrators to protect.
“The constantly changing student population, combined with a culture of openness and information sharing, may conflict with the rules and controls often needed to effectively protect users and systems from attacks.”