The University of California at San Francisco (UCSF) has paid about $1.14 million to recover files locked down by a ransomware infection.

The university was struck on June 1, where malware was found in the UCSF School of Medicine’s IT systems. Administrators quickly attempted to isolate the infection and ringfence a number of systems that prevented the ransomware from traveling to the core UCSF network and causing further damage.

The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago. UCSF, which has pursued a substantial amount of research on coronavirus and COVID-19, stated that the attacks had not affected that research, nor had an impact on the operations of its medical center and patient care.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the statement said. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

Buy Me A Coffee

UCSF’s information technology department caught the attack in progress and “quarantined several IT systems within the School of Medicine as a safety measure,” preventing the attack from reaching the “core UCSF network,” the university said in the June 26 statement.

The BBC was able to follow the negotiation, made in the Dark Web, between Netwalker and the university. The threat actors first demanded $3 million which was countered by the UCSF with a $780,000 offer, together with a plea that the novel coronavirus pandemic had been “financially devastating” to the academic institution.

This offer, however, was dismissed, and a back-and-forth eventually led to the agreed figure of $1,140,895, made in Bitcoin (BTC). 

In return for payment, the threat actors provided a decryption tool and said they would delete data stolen from the servers.