A string of cyberattacks against universities — the most recent against the University of California, San Francisco School of Medicine — has left institutions with a difficult choice: lose valuable data to hackers or pay steep ransoms.
In an announcement Friday, UCSF admitted to paying $1.14 million for the return of data encrypted by hackers under the ransomware Netwalker.
IT staff at the medical school detected a security breach June 1, according to a news release from UCSF. Though staff were able to halt the attack as it occurred, the hackers left several university servers encrypted and inaccessible, the release said.
After negotiating with hackers on the dark web, as BBC first reported, the university agreed to pay the ransom on June 6.
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the university’s statement said. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
Hackers behind Netwalker published data from the three universities on a blog, Inside Higher Ed reported. Michigan State stated on June 3 that it would not pay a ransom for its stolen data. Netwalker has published personal information and financial documents from the university online.
UCSF’s decision to pay the ransom does not follow the advice of law enforcement and of experts such as Brett Callow, threat analyst for Emsisoft security firm. For Callow, the decision to pay ransom for stolen data only emboldens malware hackers.
“Paying simply further incentivizes the criminals and provides them with additional resources to invest in ramping up their resources,” Callow said. “That means they can successfully attack more companies, collect more ransoms and it becomes a vicious circle. The only way to break that circle is by organizations not paying.”
The FBI has also advised against paying ransom for stolen data. The bureau said in a statement released last October that it does not guarantee the decryptor will work and data will be returned, and it “emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.”
State Senate Majority Leader Robert Hertzberg, who wrote a 2016 bill classifying ransomware as punishable as extortion, said UCSF was “right to pay the ransom — this time,” but said the servers should never have been vulnerable to cyberattack in the first place.
The attack “is symbolic of the urgent need to move our state’s technological infrastructure more quickly into the 21st century,” Hertzberg said, adding that law enforcement agencies must “aggressively pursue” hackers and that state agencies must have the tools to prevent ransomware attacks altogether.
It is not known exactly how the UCSF servers were hacked, but threat analysts such as Callow have pointed to a vulnerability they say was present on several of the school’s servers. The vulnerability, unique to Citrix servers and known as CVE-2019-19781, was present on the UCSF servers between December 2019 and January 2020, according to a June 3 tweet from Bad Packets, a Chicago-based threat intelligence firm.
This particular Citrix vulnerability has been exploited by ransomware groups in the past. In January, Citrix released a permanent fix, or patch, for servers carrying the vulnerability. Without the patch, UCSF servers would have been vulnerable to hackers, Callow said.
The UCSF School of Medicine is a leading research institution in the effort to develop possible treatments for COVID-19, the disease caused by the new coronavirus. The university’s statement said the cyberattack did not affect COVID-19 research or patient care.
UCSF is working with a cybersecurity consultant and law enforcement to investigate the hack, the statement said.
Hertzberg said he expects authorities to prosecute the cyberattack to the fullest extent of the law.
“This attack speaks to the way that criminal behavior is changing in the 21st century,” Hertzberg said. “The most sophisticated criminals don’t need guns or even masks — they hide behind computers and hacker identities. Frighteningly, the new bank vaults are medical school servers.”