After being hit with a ransomware attack in early June, the University of California San Francisco School of Medicine has paid a portion of the $1.14 million ransom that the attackers demanded in order to regain access to the encrypted servers.
The attack took place on June 1 and the university disclosed it two days later, saying that the school’s IT staff had discovered and limited the intrusion as it was going on. Although the intrusion specifically affected some of the School of Medicine’s servers, the IT team also isolated a number of the school’s other servers to ensure that the scope of the attack was contained. The wider UCSF network was not affected by the ransomware, but the attackers were able to exfiltrate some data from the affected servers, though not any patient medical records, the school said.
“Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted. The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed,” UCSF said in an update on June 26.
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
The UCSF staff did not say how much of the ransom the school paid or what strain of ransomware was deployed. But the UCSF infection is by no means an anomaly. Ransomware gangs have been targeting schools, government agencies, and health care facilities with alarming frequency in the past couple of years. Many municipalities, local governments, school districts, and other public entities have been hit by ransomware, with some victims paying the ransom and others opting to rebuild or restore from backups.
Last July, the City of New Bedford, Mass., was hit by the Ryuk ransomware, which affected a small percentage of the city’s computers. The attackers demanded $5.3 million, which the city refused to pay and eventually rebuilt or replaced the affected systems. On the other side of the fence, two small towns in Florida, Lake City and Riviera Beach, each paid ransoms last year of several hundred thousand dollars.
Sentiment within the security community on whether organizations should pay ransoms in these cases is divided, but for the victims the decision often comes down to business imperatives, as was the case for UCSF. Because some of the servers that the attackers were able to encrypt contained information that the school needed for academic work, the UCSF staff decided to pay some of the ransom.