Home News California University Paid $1.14 Mn Ransom for Decryption Key

California University Paid $1.14 Mn Ransom for Decryption Key

California University Data Breach

The University of California, San Francisco (UCSF) recently admitted that it paid $1.14 million to cybercriminals after suffering a ransomware attack. In an official statement, UCSF stated that attackers injected malware that encrypted databases inside the School of Medicine, where the COVID-19 related antibody testing work is going on. While no patients’ data or COVID-19 work was affected,  the officials at UCSF stated that hackers obtained certain data as a proof of their act and to demand ransom.

“We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work,” UCSF said.

The security incident was detected on June 1, 2020, and halted immediately by the UCSF security team. The university said it received the decryption key to restore access to the database and recover the stolen documents. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,”  UCSF added.

Ransom Demand Soars

According to the Coveware Ransomware Marketplace Research report, the average enterprise ransom payments increased 33% ($111,605) in Q1 of 2020 from Q4 of 2019. The research revealed that ransomware operators succeeded in targeting large organizations and forcing ransom payments. It was found that Sodinokibi (used in 26.7% of attacks), Ryuk (19.6%), and Phobos and Dharma (7.8%) were the top three most used ransomware variants in Q1 of 2020. Coveware stated that Maze, Dopplepaymer, and Sodinokibi operators are using content before encrypting the data, and holding it hostage to threaten to post it unless the target agrees to pay.