Threat Watch

University of California San Francisco Decides to Pay Netwalker Operators $1.14 Million

The University of California San Francisco (UCSF) suffered a Netwalker ransomware attack that was discovered in early June when the operators behind Netwalker posted to their leak site about it. Information from the school of medicine was accessed and some was encrypted. In an announcement by the school they stated, “we quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work.” While the investigation is still being carried out, UCSF has decided to pay $1.14 million USD to the Netwalker operators in exchange for the stolen data and the tools to decrypt the data that was encrypted during the attack.

ANALYST NOTES

While it is still being investigated, Bad Packets tweeted on June 3rd that the university had multiple servers that were vulnerable to CVE-2019-19781 between December 17, 2019 and January 11, 2020. It is very important to make sure systems are updated as soon as updates are available, because attackers are always looking to exploit outdated or unpatched systems. It is also advised that secure offline backups of important data are created—this reduces the need for ransoms to be paid and lessens the effect of the attack as a whole. Ransomware attacks often start with exploitation of an unpatched server or social engineering an employee to open a file to launch malware. The next step typically involves the ransomware operators stealing administrator account passwords and gaining control over Domain Controllers or other critical servers. Once attackers have control over the most critical servers and data files, they deploy ransomware using system automation tools to cause the maximum damage. Threat actors also typically steal copies of sensitive files before encrypting them for additional leverage over victims. The best defense is to detect intrusions in the earliest stages by monitoring for unusual behaviors on networks, workstations and servers, and responding to cut off attacker access before they gain control over critical servers.