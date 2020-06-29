A leading medical-research institution working on a cure for Covid-19 has admitted it paid hackers a $1.14m (£910,000) ransom after a covert negotiation witnessed by BBC News.

The Netwalker criminal gang attacked University of California San Francisco (UCSF) on 1 June.

IT staff unplugged computers in a race to stop the malware spreading.

And an anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web.

Cyber-security experts say these sorts of negotiations are now happening all over the world - sometimes for even larger sums - against the advice of law-enforcement agencies, including the FBI, Europol and the UK's National Cyber Security Centre.

Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months.

Netwalker's dark web website used for negotiations with victims More

At first glance, its dark-web homepage looks like a standard customer-service website, with a frequently asked questions (FAQ) tab, an offer of a "free" sample of its software and a live-chat option.

But there is also a countdown timer ticking down to a time when the hackers either double the price of their ransom, or delete the data they have scrambled with malware.

Instructed to log in - either by email or a ransom note left on hacked computer screens - UCSF was met with the following message, posted on 5 June.

Hacker chat box saying [Operator]: 'Hi UCSF, don't be shy we can work together on the current incident' More

Six hours later, the university asked for more time and for details of the hack to be removed from Netwalker's public blog.

Hacker chat box saying 'Done. Your data is hide from our blog. Now, let's discuss.' More

Noting UCSF made billions a year, the hackers then demanded $3m

But the UCSF representative, who may be an external specialist negotiator, explained the coronavirus pandemic had been "financially devastating" for the university and begged them to accept $780,000.

Hacker chat box saying 'How can I accept $780,000? Is like, I worked for nothing. You can collect money in a couple of hours. You need to take is seriously. If we'll release our blog, student records/ data, I am 100% sure you will lose more than our price what we asked. We can agree to an price, but not like this, because I'll take this like an insult' More

Hacker chat box saying Keep that $780,000 to buy McDonalds for your employees. Is very small amount for us.' More

After a day of back-and-forth negotiations, UCSF said it had pulled together all available money and could pay $1.02m - but the criminals refused to go below $1.5m.

Hacker text saying 'I spook with my boss. I sent him all messages and he can't understand how a university like you: 4-5 billions per year. Is really hard to understand and realise you can get $1,020,895. But ok. I really think your accountant/ departments can get $500,000 more. So we'll accept $1.5m and everyone will sleep well.' More

Hours later, the university came back with details of how it had procured more money and a final offer of $1,140,895.

Hacker text saying 'Ok good. Now you can sleep well :D More

And the next day, 116.4 bitcoins were transferred to Netwalker's electronic wallets and the decryption software sent to UCSF.

UCSF is now assisting the FBI with its investigations, while working to restore all affected systems.

It told BBC News: "The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.