An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware.
A ransom demand left by the gang directed the university dedicated to medical research to a payment page on the dark web, where they could find an FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), and the ability – just like so many legitimate websites – to have a live chat with a support operator.
Of course, negotiating the safe recovery of your encrypted files is so much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand or publish stolen data onto the internet if time runs out.
Six hours after asking, the University of California San Francisco must have been relieved to have been given more time, and for news of the attack to be removed from NetWalker’s public website.
However, the hackers demanded $3 million, and were less than impressed when whoever was at the UCSF’s end of the conversation begged them to accept $780,000 citing the “financially devastating” damage caused by the Coronavirus pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.
Ultimately, after what BBC News describes as a “day of back-and-forth negotiations,” the two sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker gang the following day, and the university received the decryption software required to recover its affected data.
Speaking to BBC News, UCSF explained why it had decided to give in to its digital extortionists:
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.
“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.
“It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate.”
Nobody likes the idea of cybercriminals making money out of successful ransomware attacks. Everytime one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.
At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.
The University is now said to be assisting in the FBI’s investigation into the attack, and restoring its affected systems.
One final thought for you all: whose interest is it in to tip-off BBC News about a ransomware negotiation as it happens?
You can hear this ransomware attack discussed in further detail in this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.