Paying a ransom to get your data back is something that law enforcement across the world say you should ever do. When your data contains your research looking for a cure for a global pandemic, what are you supposed to do? That is the dilemma that the University of California San Francisco (UCSF) found itself in when it was hit by ransomware.
The Netwalker crime gang behind the attack had initially asked for US$3 million. However, given the current financial crisis, the hit on funds and a willingness by both parties to negotiate, the final figure was set at $1.14 million. In a strange twist, an anonymous tip-off invited the BBC to watch the ransomware negotiations in a live chat on the dark web.
The BBC coverage shows that UCSF asked Netwalker to remove details from its public blog which it did. The two sides then negotiated a payment that eventually resulted in 116.4 bitcoins being transferred to Netwalker’s electronic wallets. The total value of the transaction is $1,140,895. Once the bitcoins were paid, Netwalker sent the decryption software to UCSF and files were recovered.
What do we know about the attack?
On June 1, UCSF staff were alerted to an attack on the School of Medicine’s IT environment. The response was to shutdown computers across the campus and isolate the School of Medicine. UCSF then brought in an unnamed cybersecurity firm to investigate the scale of the problem.
On June 17, UCSF published an update on the incident on its news site. It stated that the initial assessment showed that the number of affected machines was limited. Importantly, it also said: “We are making good progress and are optimistic that we will start bringing our isolated systems back online in about two weeks.”
The next update was on June 26, when UCSF admitted to paying the ransom. It is currently taking the view that the attack was one of opportunity rather than a targeted attack. It also stressed that no patient medical records were exposed and said it would deliver another update when it has more information.
How did the attackers get in?
It’s a question for which there may be no obvious answer. The attackers may have found an insecure access point, such as an unpatched server. Stolen credentials that have been reused across multiple sites is another likely route. An infected device, brought into the facility by a student or researcher and the connected to the network could have allowed the ransomware to spread. A phishing attack against a member of staff might have resulted in them opening an infected email.
Unlike many universities, UCSF has no cybersecurity programme. It relies on hiring its own staff and working with partners. There will now be an investigation as to how effective those partners were and what went wrong. What should not happen is a finger-pointing exercise. There are lessons here that have to be learned and responded to.
What happens next?
Finding the initial point of attack is useful during the forensics part of the investigation. What is more important is a complete review of the university systems. It should be more than just a paper exercise. It should involve red teams looking for exploits across the entire university. Once found, they should be patched.
The investigation will also want to establish why there were insufficient backups, what the cyber resiliency plan was and when it was last tested. Universities survive by making money from research and should, therefore, prioritise data resiliency.
It will be interesting to see what UCSF did after the warning by the FBI in April of an increase in COVID-19 threats. It’s a message that has been amplified by cybersecurity vendors in multiple reports since then. If it turns out the university did not take additional precautions, there will be many questions asked as to why.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, Master of Legal Studies (WASHU) & MS Criminal Justice and Cybercrime Investigation (BU), comments: “Public schools frequently save money on cybersecurity, trying to invest budgets into apparently more appealing areas to deliver more value for students and society. Unfortunately, the road to hell is paved with good intentions, and unscrupulous attackers readily exploit any inadequate resilience and unpreparedness to extort money. “
Enterprise Times: What does this mean
Another organisation breached, data locked away, and a ransom paid. Situation normal, but should it be? Law enforcement and cybersecurity vendors around the world have been warning about a surge in ransomware for months. They have also called out attacks against any organisation doing COVID-19 research. Those organisations are likely to pay up because the rewards for a successful trial of a new vaccine will be astronomical.
There is no question that UCSF had little option to pay once it realised it couldn’t recover the data that was encrypted. However, the cost of a proper cyber resilience solution or paying for better cybersecurity testing and support would have been a fraction of what this has cost. That, in itself, is the big lesson here. Putting the right technology and processes into place is cheaper than paying a ransom.
Will this act as a lesson to organisations to focus more on cyber resilience? No. It is a cycle driven by poor decisions and where those responsible for those decisions rarely pay the price.