Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware.

As reporter Joe Tidy describes, the University of California San Francisco (UCSF) was attacked by the notorious NetWalker ransomware on the first day of June.

Netwalker message

Netwalker message

A ransom demand left by the gang directed the university dedicated to medical research to a payment page on the dark web, where they could find an FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), and the ability – just like so many legitimate websites – to have a live chat with a support operator.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Of course, negotiating the safe recovery of your encrypted files is so much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand or publish stolen data onto the internet if time runs out.

Six hours after asking, the University of California San Francisco must have been relieved to have been given more time, and for news of the attack to be removed from NetWalker’s public website.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

However, the hackers demanded $3 million, and were less than impressed when whoever was at the UCSF’s end of the conversation begged them to accept $780,000 citing the “financially devastating” damage caused by the Coronavirus pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Ultimately, after what BBC News describes as a “day of back-and-forth negotiations,” the two sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker gang the following day, and the university received the decryption software required to recover its affected data.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Speaking to BBC News, UCSF explained why it had decided to give in to its digital extortionists:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.

“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.

“It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate.”

Nobody likes the idea of cybercriminals making money out of successful ransomware attacks. Everytime one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.

At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.

The University is now said to be assisting in the FBI’s investigation into the attack, and restoring its affected systems.

One final thought for you all: whose interest is it in to tip-off BBC News about a ransomware negotiation as it happens?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

A privacy pickle as the pandemic lockdown lifts in England.

Pubs and restaurants told to collect customer data as lockdown eases... but not how

Pubs and restaurants told to collect customer data as lockdown eases... but not how

The UK Government has announced that it will be easing the Coronavirus lockdown on July 4th.

Amongst other changes, restaurants, pubs, and cafes in England will be allowed to reopen provided that they follow guidelines to help prevent the spread of the Coronavirus.

According to the UK Government’s own advice, these include “keeping a temporary record of your customers and visitors for 21 days.”

Keeping customers and visitors safe

Keeping customers and visitors safe

The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks. Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. If you do not already do this, you should do so to help fight the virus…

In other words, in just ten days thousands of restaurants, bars and pubs are expected to start collecting the details of their customers and visitors.

Wouldn’t it be nice to think that this information will be collected carefully, stored securely, and ultimately properly destroyed, in a way which doesn’t breach GDPR regulations?

And yet, for now at least, the UK Government isn’t telling businesses how on earth they should do this.

Email

Email

Sign up to our newsletter
Security news, advice, and tips.

And cafes and restaurants have probably got enough on their plate already, trying to reconfigure their premises and working methods to follow social distancing guidelines, without also having to get their head around data protection and privacy challenges.

Restaurants, pubs, and cafes are also not being told what information they should be collecting from their customers.

Let me say again, just ten days.

The UK Government’s advice acknowledges that firms might need some help:

We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly.

I understand that there’s a global pandemic going on, and not everything is going to be perfect.

But it’s not as though it’s a surprise to anybody that at some point the lockdown would begin to be lifted – and that restaurants, pubs, and cafes would begin to reopen slowly. Was there no plan already being worked on?

Giving so little notice to the hospitality industry puts them in a privacy pickle, even if the UK Government does serve up advice for how this data should be collected and secured before July 4th, I doubt that many companies will be doing it properly.

Of course, security and privacy are not going to be the only challenges…

Follow me for more information.

Industry veterans, chatting about computer security and online privacy.

Smashing Security podcast #183: MAMILs, gameshows, and a surprise from eBay

Smashing Security podcast #183: MAMILs, gameshows, and a surprise from eBay

A TV gameshow with cash prizes if you’re obeying Coronavirus lockdown rules, ex-Ebay staff charged in crazy cyberstalking case, and when the wrong cyclist was accused by the internet bearing pitchforks.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Maria Varmazis – @mvarmazis

Show notes:

Sponsor: LastPass

LastPass Enterprise makes password security effortless for your organization.

LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.

But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.

Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.

Sponsor: MetaCompliance

People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

NHS Test & Trace sends text to wrong person, telling them they tested negative for Coronavirus

NHS Test & Trace sends text to wrong person, telling them they tested negative for Coronavirus

Former British MP Emma Dent Coad was not very happy to hear from the NHS Wales Test and Trace service today. Not because the SMS text message she received told her that she had tested positive for the Covid-19 Coronavirus (it didn’t, and she hasn’t).

But rather because the SMS clearly was meant to go to someone else entirely.

On Twitter, the former Kensington MP didn’t hold back, expressing her concern that the SMS notification from NHS Wales of a negative test result had not only been clearly sent to the wrong phone number, but also that there was no obvious way to inform the service of the error.

Nhs tracing text message

Nhs tracing text message

Who the hell’s in charge of NHS text notifications?

NHS WALES has just informed me, in English and Welsh, that xxx (not me) has tested negative for CV19.

I’m delighted for xxx, but 1, WTAF, and 2, there is no way to respond!

In a screenshot shared on Twitter, Dent Coad – who is still a Labour councillor – revealed that the message exposed the patient’s name and full date of birth.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

I suspect what’s happened here is simple human error. Either the person being tested doesn’t know their own mobile phone number (hey, don’t laugh. I don’t know my phone number. After all, why would I ever ring it?) or it was entered incorrectly by whoever registered the patient for the Coronavirus test.

It’s easy to imagine, for instance, that a couple of numbers may have been accidentally transposed.

The likelihood of an error like this occuring could perhaps be lessened by simply double-checking, or even sending a confirmation text to the number a patient has registered with the service, but… I guess these systems have been built in something of a hurry.

The worry is, of course, that some people are not going to receive information about their test status (positive or negative). At best that could be inconvenient and maybe a leak of personal information, but at worst it could increase the chances of the Coronavirus being spread to others.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X