November 29, 2021
Months into the COVID-19 pandemic, hackers had taken control of data belonging to a University of California San Francisco research team testing a possible coronavirus vaccine. They were demanding $3 million in exchange for returning control of the data.
A university negotiator sent them a plea.
“The sense is that it’s not looking good,” the anonymous negotiator wrote, according to a chat transcript first reported by Bloomberg. “The more I ask around, the more I hear that all departments are hurting for money. I ask you to keep an open mind.”
The highly publicized ransomware attack in June 2020 was claimed by Netwalker, a group with a history of targeting healthcare entities. UCSF, like many colleges and universities at the time, was dealing with budget cuts of up to 10% to offset revenue losses related to suspending in-person operations. But the hackers weren’t buying the plea of poverty from a university system that collects billions in annual revenue.
“You need to take us seriously,” a Netwalker representative warned. “If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”
Major research institutions, especially those with ties to hospitals, carry incredibly sensitive data and are increasingly becoming targets for ransomware attacks. UCSF ultimately paid $1.1 million to regain control of its hijacked servers — likely a fraction of the amount it would have spent recovering the data otherwise.
“The FBI always advises against paying the ransom,” said Adam Hardi, a higher education senior analyst at Moody’s Investors Service. “But we have seen a fair number doing it anyway because it is more economically feasible to spend $1 million than potentially $10 million to retrieve the data.”
Cyberattacks on colleges and universities have been increasing over the years, but the pandemic ushered in a new era of urgency. The attacks pose not just financial risks but also operational risk, as was the case when the University of Massachusetts Lowell canceled classes for nearly a week in June after a security breach. Some institutions, like Wichita State University, have been sued over cybersecurity incidents.