back to article University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'

A California university which is dedicated solely to public health research has paid a $1.14m ransom to a criminal gang in the hopes of regaining access to its data. The University of California San Francisco (UCSF) paid out in the apparently successful hope that the Netwalker group would send it a decryption utility for its …

  1. Pascal Monett Silver badge

    So, nothing important was encrypted

    Yet the CalU paid over a million bucks to get whatever unimportant stuff back.

    I may be mistaken, but a million bucks should get you a pretty good backup system. HELLO ? It's time to WAKE UP. You ARE going to be targeted, so you might want to think of spending a few hundred thousand on proper backup procedures before you have to spend a million on the good will of a fucking criminal scumbag.

    Just a thought.

    1. Anonymous Coward
      Anonymous Coward

      Re: So, nothing important was encrypted

      Careful with the caps, else we might think you've been infected.

    2. BenDwire Bronze badge

      Re: So, nothing important was encrypted

      Ah yes, but that expenditure comes out of a different budget you see!

      As well as having a decent off-line archive, people could encrypt their own files by default, then at least the crims won't be able to leak anything meaningful? It's probably in the "too difficult for people" category though.

      1. Doctor Syntax Silver badge

        Re: So, nothing important was encrypted

        "Ah yes, but that expenditure comes out of a different budget you see!"

        One that's only available after the event.

    3. Long John Silver

      Re: So, nothing important was encrypted

      I grasp that running servers are always vulnerable to failure and malicious acts must be factored in as a possibility. Thus temporary disruption may not be wholly avoidable. Yet no organisation ought allow itself to be in the position of facing permanent loss of irreplaceable data.

      Presumably mechanics of encryption extortion require some time for encryption of large sets of data to be completed (seconds. minutes, or hours?). Also, I assume miscreants must arrange secure deletion of original versions when the task is completed. This leaves the matter of how well backup and mirroring regimens operate.

      Although an attack may obfuscate the entire collection of data available to legitimate users at the time it began that should not mean recovery from backup not in continuous connection to affected servers is infeasible. That raises the question of how frequently backing-up ought occur, and how many layers of independent backup ought be retained, in order to minimise irretrievable data loss from point of intrusion after the last backup. Presumably, someone has worked this out? Perhaps the answer varies according to the load on vulnerable servers?

    4. Phil Kingston

      Re: So, nothing important was encrypted

      To management, DR only becomes important once you've had the D

    5. Jonjonz

      Re: So, nothing important was encrypted

      Look no further for proof our public institutions have reached critical infrastructure rot levels.

      When the whole governmental system decides it's cheaper to pay off the occasional hacker than budget for decent security or devote police resources to this issue.

    6. LucreLout Silver badge

      Re: So, nothing important was encrypted

      a million bucks should get you a pretty good backup system. HELLO ? It's time to WAKE UP. You ARE going to be targeted, so you might want to think of spending a few hundred thousand on proper backup procedures before you have to spend a million on the good will of a fucking criminal scumbag.

      Indeed - though that is possibly not the most important reason you might need the backup. I mean, the criminal scumbag has just encrypted the data, so there's a chance of recovery. No backups puts you one fire away from total loss. Or maybe a flood. Or an earth quake. Or a theft. Or an equipment failure.

    7. I ain't Spartacus Gold badge

      Re: So, nothing important was encrypted

      I don’t know the going rate for good ones. But surely a million dollars ought to buy a decent hitman, with side expertise in torture, as an alternative to paying the ransom...

    8. jgarbo

      Re: So, nothing important was encrypted

      Or someone inside UCSF is getting a cut of the million. Easy, untraceable pocket money...

  2. William Higinbotham

    Write-off instead

    I wonder if they tried to bargain a official form showing the organization donated $1.14 million worth of technical support for tax deduction instead?

    1. RM Myers Bronze badge

      Re: Write-off instead

      This is part of the University of California system, i.e., owned by the state government, and thus not subject to income taxes. No taxes, no need for tax deductions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Write-off instead

        So maybe the Federal government should now fine them $1.14m for paying off blackmailers?

        1. RM Myers Bronze badge

          Re: Write-off instead

          I wonder how high up this decision went? Did the University decide on their own, or did they take it to the chancellors of the University of California system, the governor, or the legislature? I could see some real political blowback which might affect future state funding for UCSF.

  3. Anonymous Coward
    Anonymous Coward

    The BBC should be in the dock too

    It's about time the media stopped thinking they are skilled enough to "report" on events like this without becoming part of the story. We repeatedly refuse to understand how the press is a symbiotic part of the process. Criminals and terrorists understand the relationship very well, though, and routinely exercise it. Yes, I can hear the cries of "censorship", "freedom", "public awareness" etc. but this demonstrates that rights are earned by responsibilities, and if not, come at a cost that someone else pays.

  4. Mark192 Bronze badge

    Yeah, high profile reporting on data theft indirectly raises the cost to organisations meaning it's starting to get to the point where they're having to take security seriously.


    "The criminals want how much!? That's way more than in the last cost-benefit analysis we used to decline ITs request for more money".

  5. Pianoman99

    you can count on gov organisations to (a) ignore their own rules (b) spend money unwisely (c) spend money without consideration for any real value.

    And Why was the BBC involved? It's not in their charter to carry out negotiations on behalf of others. #defundtheBBC

    1. Paul 195

      Defund the Troll Farms

      Who are these people shouting "defund the BBC"? The biggest beneficiaries of such a move would be: 1) media moguls, 2) Russia Today and other Kremlin outputs. It would certainly do very little to help a world splintering into little social media bubbles who do not share any beliefs about what is and isn't real.

      In fact, you've really got to ask yourself who is behind this recent movement aimed at one of the most trusted sources of information in both in the UK and in the wider world.

      If you really, really are a British citizen, why would you want to destroy what is still an important source of "soft power" for this country? Let's face it, with Brexit, we're going to need all the assets we've got.

    2. Falmari

      Why was the BBC involved?

      But it is part of their charter to report the news which is what they did.

      Where did you get from the article that they carried out negotiations?

      All I read is they reported negotiations had happened and published some excerpts from information they had gathered.

    3. hmv Silver badge

      I think you need to revise your basic English comprehension - there's no indication within the article that any journalist was involved in the negotiations; they observed.

      1. Terry Wrist

        some sort of ransomeware porn watching.

  6. Anonymous Coward
    Anonymous Coward


    ""ethical" criminals who promised"

    These are thieves, not mercenaries. Everything they do is in opposition of ethics.

  7. Noel Morgan

    It is all very well saying that - oh they should have had proper backups.

    Unless you are targeted by these sort of groups, you have no idea how destructive they can be. They can sit inside your network for weeks, and map out everything including your backup regime. They will know you have offsite backups and make sure that those are left in a useless state. You do restore your offsite backups to confirm they are valid, dont you. Thats great, however what happens if there is now a booby trapped file in your backup that activates after a certain date and re-encrypts your network.

    They will wait until they know the best time to strike, 3am in the morning when no admins are around means you will cause more damage without anyone knowing and taking action.

    no point in password protecting things, they probably have your domain admin credentials.

    Are you sure you can pay the fines for having confidential medical or financial information released to the world?

    A $1million payday can really concentrate your mind to make sure you do enough damage so as your victim has no option but to pay up. Not bringing morals into this - I know all of us would never do this, but as think of this as an academic exercise.

    If any of us knew we could earn millions without a chance of being caught, do you think you could wreck a companies network and their backups?

    1. kmedcalf

      The length of time it takes to "recover" (go from the after state to the before state) is the same as the amount of time it took to go from the before state to the after state.

      That is to say that if it takes you 6 months to "decrypt" your files once you have the decryption keys, it also took 6 months to "encrypt" them.

      There is no excuse for being so incompetent that you did not notice FOR SIX MONTHS that you files were in the process of being encrypted.

      Also, it is highly unlikely that, except though incompetence, one would not notice the exfiltration of gigabytes or terrabytes of "copied" information.

      1. Noel Morgan

        Who mentioned anything about it taking six months?

        All you need to do is encrypt the file headers. I have seen 6 terrabytes of files encrypted so as to be useless in under an hour, that was on an old server we used for testing purposes. HP Microserver N54L with Spinning rust hard drives. over 500,000 files.

        You also don't need to exfiltrate a huge amount of data. Just the stuff that the company does not want to be seen. Pay Records, HR information, Bank information. Death Star schematics. I don't need to access the entire web store you have including videos and images, just the badly encrypted credit card information.

  8. aks Bronze badge

    Never negotiate

    Simply make it a criminal offence to cooperate with these criminals. Certainly to contact such people except as part of a police operation.

    They're doing it to make money. Deny them the money, it only encourages them.

  9. kmedcalf

    Improper Language

    Why is a lawful business enterprise being referred to as a "Ransomware Gang"? Are they not merely a business engaged in the Security Assurance business by exposing those with shoddy computer security practices? It should be pointed out that the Government is the biggest "Ransomware Gang" of all in that they act directly to torture its victims into paying them money.

  10. kmedcalf

    Improper Language, more

    Why is the data "stolen"? It is not stolen, merely copied. The original "owner" *if there can be said to be an owner* is not deprived of possession of the original data. If a car is stolen, the original possessor no longer has the use of the car -- however in these cases nothing is "stolen" -- it is merely copied and the original possession is not deprived of their possession of the thing copied.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020