The University of California San Francisco (UCSF) acknowledged that it paid a $1.14 million ransom to stop a malware attack that encrypted some IT servers within the health system’s School of Medicine.
On June 3, UCSF IT staff detected a security incident that occurred in a limited part of the UCSF School of Medicine’s IT environment on June 1, officials said in a recent statement. The servers within the School of Medicine were temporarily inaccessible as a result of the malware attack, which university officials said was stopped as it was occurring.
According to UCSF, “Since that time, we have been working with a leading cybersecurity consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses. We expect to fully restore the affected servers soon.”
Officials added that the health system “quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work.”
Leaders believe that the malware encrypted the health system’s servers opportunistically, with no particular area being targeted. The attackers obtained some data as proof of their action, to use in their demand for a ransom payment, they added, attesting they do not currently believe patient medical records were exposed.
However, officials stated, “the data that was encrypted is important to some of the academic work we pursue as a university serving the public good.” They then admitted, “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
An early June report from Bloomberg noted that “The hackers, known as Netwalker, claimed credit for the attack on their dark web blog. The post dedicated to UCSF appeared to have been copied and pasted from the university’s home page promoting its work on health care.”
In the face of a ransomware attack, healthcare organizations face difficult decisions on whether or not to cave to the hackers’ demands. In 2016, the FBI publicly stated that “Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers,” FBI officials stated.
Similarly, Shefali Mookencherry, principal advisor at consulting firm Impact Advisors, told Healthcare Innovation that she believes organizations should engage their cybersecurity insurance services when deciding on whether to pay the ransom to get systems back up versus not giving in. Also, she notes, paying the ransom doesn’t guarantee that the organization will get its data back. “I’ve known of incidents where organizations never got a decryption key after having paid the ransom. Paying a ransom not only encourages cyber criminals to target more organizations, it also offers an incentive for these criminals to get involved in this type of illegal activity. Also, paying a ransom could make an organization an accomplice in funding other illicit activity linked to cyber criminals.” Mookencherry ultimately advises, “Don’t pay the ransom. Be smart in backing up your systems. Have a backup system for the backup system.”
