A leading medical research institution working to cure Covid-19 admitted it paid hackers a $ 1.14 million ransom after a secret deal witnessed by BBC News.
The Netwalker criminal gang attacked the University of California at San Francisco (UCSF) on June 1.
The IT team disconnected the computers in a rush to prevent the spread of the malware.
And an anonymous tip allowed BBC News to follow the bailout talks in a live chat on the dark web.
Cybersecurity experts say this type of negotiation is taking place around the world – sometimes for even greater amounts – against the advice of law enforcement agencies, including the FBI, Europol and the UK’s National Cybersecurity Center.
Only Netwalker has been associated with at least two other ransomware attacks on universities in the past two months.
At first glance, your home page on the dark Web looks like a standard customer service site, with a frequently asked questions (FAQ) guide, a “free” sample offer of your software, and a live chat option.
But there is also a countdown timer, until the moment when hackers double the price of their ransom or delete the data they have shuffled with malware.
Instructed to log in – via email or a ransom note left on the screens of hacked computers – UCSF received the following message, posted on June 5.
Six hours later, the university asked for more time and details of the hack to be removed from Netwalker’s public blog.
Noting that UCSF was earning billions a year, hackers demanded $ 3 million
But the UCSF representative, who may be an outside expert negotiator, explained that the coronavirus pandemic was “financially devastating” for the university and asked them to accept $ 780,000.
After a day of negotiations, UCSF said it had collected all the money available and could pay $ 1.02 million – but the criminals refused to stay below $ 1.5 million.
Hours later, the university returned with details of how it had gotten more money and a final offer of $ 1,140,895.
And the next day, 116.4 bitcoins were transferred to Netwalker’s e-wallets and the decryption software sent to UCSF.
UCSF is now helping the FBI in its investigations, while working to restore all affected systems.
He told BBC News: “The data that has been encrypted is important for some of the academic work we do as a university, serving the public good.
“So we made the difficult decision to pay part of the ransom, approximately $ 1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data obtained.
“It would be a mistake to assume that all statements and claims made in the negotiations are factually accurate.”
Jan Op Gen Oorth of Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.
“Instead, they must report it to the police so that law enforcement can disrupt the criminal enterprise.”
Brett Callow, threat analyst at cybersecurity company Emsisoft, said: “Organizations in this situation are without a good option.
“Even if they pay for the demand, they will simply receive a promise that the stolen data will be deleted.
“But why would a ruthless criminal company delete data that could generate more revenue later?”
Most ransomware attacks begin with a trapped email and research suggests that criminal gangs are increasingly using tools that can gain access to systems through a single download. In the first week of this month alone, Proofpoint’s cybersecurity analysts said they saw more than a million emails using a variety of phishing lures, including fake Covid-19 test results sent to organizations in the U.S., France , Germany, Greece and Italy.
Organizations are encouraged to regularly back up their data offline.
Ryan Kalember, of Proofpoint, said: “Universities can be challenging environments to assure IT administrators.
“The ever-changing student population, combined with a culture of openness and information sharing, may conflict with the rules and controls often needed to effectively protect users and systems from attack.”