Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware.

As reporter Joe Tidy describes, the University of California San Francisco (UCSF) was attacked by the notorious NetWalker ransomware on the first day of June.

Netwalker message

Netwalker message

A ransom demand left by the gang directed the university dedicated to medical research to a payment page on the dark web, where they could find an FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), and the ability – just like so many legitimate websites – to have a live chat with a support operator.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Of course, negotiating the safe recovery of your encrypted files is so much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand or publish stolen data onto the internet if time runs out.

Six hours after asking, the University of California San Francisco must have been relieved to have been given more time, and for news of the attack to be removed from NetWalker’s public website.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

However, the hackers demanded $3 million, and were less than impressed when whoever was at the UCSF’s end of the conversation begged them to accept $780,000 citing the “financially devastating” damage caused by the Coronavirus pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Ultimately, after what BBC News describes as a “day of back-and-forth negotiations,” the two sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker gang the following day, and the university received the decryption software required to recover its affected data.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Speaking to BBC News, UCSF explained why it had decided to give in to its digital extortionists:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.

“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.

“It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate.”

Nobody likes the idea of cybercriminals making money out of successful ransomware attacks. Everytime one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.

At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.

The University is now said to be assisting in the FBI’s investigation into the attack, and restoring its affected systems.

One final thought for you all: whose interest is it in to tip-off BBC News about a ransomware negotiation as it happens?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

CoronavirusMalwareNetWalkerRansomwareUCSFuniversity

Questions or Comments?

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X