The hackers’ target was high: a major medical research institution working on a cure for covid-19.
Hackers manage to get the University of California, San Francisco (UCSF) $ 1.14 million after undercover negotiation.
An anonymous message determined to the BBC to follow the negotiations in a live chat found on the dark web.
This is how the millionaire and competitive cyber extortion business works and expands
Behind the attack, on June 1, was the criminal gang Netwalker.
Cybersecurity experts say these types of actions are controlled out across the world, sometimes for even larger sums, in contravention of the advice of security organizations like the FBI, Europol or the National Center for Cyber Security at UK.
Netwalker has been linked to at least two other ransomware attacks, or data hijacking, against universities in the past two months.
At first glance, their dark web page looks like a standard customer service site, with a FAQ tab, a “free” trial offer of their software, and a chat.
5 things that can be achieved on dark internet networks
But there is also a countdown timer that comes at a time when hackers double the price of your ransom or remove data that they have encoded with malicious software (malware).
After logging in, UCSF received this message on June 5.
[Operator]: “Hello UCSF, don’t be shy, we can work together on the current incident.”
Six hours later, the university requested more time and details on how the hacked information would be removed from a Netwalker public blog.
[Operator]: “Done. Your details have been hidden from our blog. Now let’s start the discussion.”
Knowing that UCSF generates billions of dollars a year, hackers demanded $ 3 million.
But the UCSF representative, who may be an outside negotiation specialist, explained that the coronavirus pandemic has been “financially devastating” for the university and asked them to accept $ 780,000.
[Operator]: “How am I going to accept $ 780,000? It’s like I worked for nothing. You guys can raise the money in a couple of hours. Take it seriously. If we release our blog, information and student records, I’m 100% surely they will lose more than what we ask for. We can agree on an amount, but so, because I take that as an insult. ”
[Operator]: “Save that $ 780,000 to buy McDonald’s for your employees. It is very little for us.”
After a day of proposals and counterproposals, UCSF said it had raised all available money and could pay $ 1.02 million, but cybercriminals declined to drop below $ 1.5 million.
[Operator]: “I spoke to my boss. I sent him all the messages and he cannot understand it from a university like yours, from four to five billion a year. It is very difficult to understand and accept that they can raise US $ 1,020,895. But hey, I think your accountants / departments can raise $ 500,000 more. So we will accept $ 1.5 million and we will all sleep well. ”
Hours later, the university gave details of how it had obtained more money and a final offer of US $ 1,140,895.
[Operator]: “Okay. Now they can sleep well: D When can they pay?”
And the next day, 116.4 bitcoins were transferred to Netwalker’s electronic wallets, and UCSF received decryption software.
“This is like Cosa Nostra”: this is how the exclusive and clandestine club for mining bitcoins and other cryptocurrencies in Venezuela operates
Is there a guarantee?
UCSF is now assisting the FBI with its investigations as it works to restore all affected systems.
“Encrypted data is important to some of the academic work we do as a university serving the public good,” he told the BBC.
“Therefore, we made the difficult decision to pay a portion of the ransom, approximately $ 1.14 million, to the people behind the malware attack in exchange for a tool to unlock the encrypted data and return the information they obtained.” he indicated.
“It would be a mistake to assume that all the statements and statements made in the negotiations are objective.”