Hackers extort $1.14m from the University of California, San Francisco

A prominent medical research institution that is heavily involved in efforts to find a cure for Covid-19 has disclosed having paid hackers a $1.14m ransom after a long secretive negotiation process.

 A criminal gang that identifies itself as ‘Netwalker’ attacked the University Of California (UCSF) on 1 June this year.

The IT personnel unplugged computers in an attempt to prevent the malware from spreading.

Cyber-security professionals have said that these kinds of negotiations are now widespread over the globe despite the advice of law enforcement agents such as Europol, the FBI, and the United Kingdom’s National Cyber Security Centre.

In the past two months,  Netwalker alone has been associated with at least two other ransomware attacks on universities.

The dark-web website used by Netwalker for negotiations

At first sight, its dark-web homepage appears like an ordinary customer service website, with a frequently asked questions (FAQ) tab, a ‘free’ offer of its software sample, and a live chat option.

However, there is also a countdown timer ticking down to a time when the hackers ask for twice the initial price of their ransom or delete the information they would have scrambled with their malware.

The details

UCSF was instructed to log in either by email or a ransom note left on their hacked computer screens and were met with a message encouraging them to ‘work together’ with the hackers on the ‘current incident’ on 5 June.

After six hours, UCSF requested more time and for details of the hack to be removed from Netwalker’s public blog.

Noting the university makes billions in a year, Netwalker demanded $3m.

However, the UCSF representative who might have been a hired specialist negotiator, explained how the Covid-19 pandemic had financially devastated the institution and pleaded with them to accept the university’s offer of $780k.


After a day of dialogue, UCSF said they had managed to raise a total of $1.02m, but the hackers refused to accept anything less than $1.5m, half their demand.

After some hours, UCSF came back with details of how they had managed to pull together more money and made a final offer of $1,140,895.

The following day 116.4bitcoins were transferred into Netwalker’s electronic wallets, and the hackers sent UCSF a software to unlock the encrypted data.

The University is now assisting authorities in their investigations while also working to restore the affected systems.

It also explained that it made the ‘difficult decision’ to pay the ransom because the data that was encrypted was important academic work that the university was pursuing.

Experts’ opinion on the issue

Jan Op Gen Oorth from Europol argued that by paying the ransom, victims finance the criminals and encourage them to continue with their illegal activities.

He says such incidences should be reported to the police to enable law enforcement officers to disrupt criminal enterprises.

His remarks were also echoed by other experts such as Brett Callow,a threat analyst at a cyber-security firm Emsisoft who warned that even after paying the ransom, organizations have no guarantee that the stolen data will be deleted.

Most ransomware attacks have been known to start with a booby-trapped email and researchers are suggesting that cybercriminals are increasingly making use of tools that can gain access to victims’ systems via a single download.

Institutions are encouraged to regularly back-up their data offline.

Leave a Reply