Ransomware Attack Directed Towards University of California Generated 118 Bitcoin
The University of California, San Francisco’s plans to further COVID-19 vaccine research were disrupted by a ransomware attack on the school’s servers.
Ransomware Operation Hits US, Seeks $3 Million
School files, transcripts, employee, and student-related data were reported to have been stolen during the hack. The University of California, San Francisco (UCSF) was working on a vaccine for COVID-19 when several of its school servers were shut down and locked by hackers.
The ransomware group responsible for the network freeze appears to be Netwalker, a hacking ring that has been fairly active since last fall. The hacking operation demanded a ransom of $3 million in exchange for releasing the digital keys and set a deadline of “2 days, 23 hours, and 0 minutes” for the transfer of digital assets. It also appointed a representative whose purpose was to coordinate all negotiations and discussions with UCSF. The hacker’s speaker was dubbed “Operator.”
Negotiations to Drive Down Ransom
Though UCSF has not been able to confirm the origin of the attackers, the messages that were exchanged between the university’s negotiator and Operator were riddled with grammatical tics that are commonly observed among native Russian speakers. One thing that seemed like a fair bet was that the hackers were not in US jurisdiction at the time of the act.
Though the FBI usually handles ransomware attacks on US soil, UCSF took matters into their own hands for this case. UCSF negotiator demanded that Operator give the university a bit more time to come up with the sum that they demanded. The professional also negotiated for a lower price, tugging on Operator’s emotional chords and stating that due to the ongoing COVID-19 research that the university was engaged in, it had nowhere near the funds that Operator demanded.
The exchange took approximately six days, with ransom demands fluctuating from $390k to $780k and so on. UCSF negotiator relentlessly attempted to drive down the ransom price, to no avail. Finally, resorting to empathy, the negotiator said to Operator, as disclosed by Bloomberg, “I haven’t slept in a couple of days because I’m trying to figure this out for you. I am being viewed as a failure by everyone here and this is all my fault this is happening.”
Whether or not this was a strategy employed by the negotiator, it somehow worked, as Operator responded, “My friend, your team needs to understand this is not your failure. Every device on the internet is vulnerable.”
BTC Funds for Netwalker
The negotiator and Operator finally agreed on a price, that was worth $1.14 million. This translates to approximately 118 Bitcoin at the time of writing. The university representative then demanded a few days to gather the digital assets. The deal that was struck entailed that the Netwalker ransomware group would transfer all the data it stole from the university’s network to UCSF, in exchange for the funds. The attackers also had to provide evidence that they had deleted the copies from their own servers, a task that required attentive decryption.
UCSF was able to link the hackers to Netwalker, due to the cybercriminals’ dark web blog. Netwalker hacking operation also possessed its own malware, available for leasing to any future attackers to use. In March, they also posted a dark web ad to recruit new hackers to their team. The posting read: “Russian-speaking network intruders—not spammers—with a preference for immediate, consistent work.”
Final Deal Struck Between UCSF & Operator
Through down-to-earth conversation, an appeal to empathy and compliments —a common negotiation strategy that seasoned negotiators stand by —UCSF negotiator was able to strike a deal to recover at least 20 gigabytes of stolen files that attackers had gained from their hack from the university network. This translated to encrypted data from at least seven university servers.
Japanese University Leverages Blockchain to Protect Servers
Ransomware attacks appear to be on the surge, especially during the pandemic.
Companies are certainly not the only ones concerned with cyber attacks. In fact, schools have also been increasingly targeted for encrypted data and transcript forgery. Recently, Japan came up with a system called CloudClerts that leveraged blockchain technology to provide universities with a more secure way of distributing academic transcripts and expected graduation diplomas.
Blockchain is increasingly perceived by many firms and institutions as a way to combat digital counterfeits and conduct business more efficiently.
Image source: Shutterstock