Medical school pays computer hackers $1.4 million in bitcoin to return stolen data

The school ultimately paid the attackers $1.4 million in cryptocurrency.

UCSF says it fell victim to a ransomware attack in June.

A major California medical school was forced to shell out $1.4 million in bitcoin to computer hackers.

On June 1, the University of California-San Francisco School of Medicine experienced a ransomware attack on several of its computer servers. This attack encrypted the data on the affected servers and made their contents inaccessible to anyone without the correct tool to unlock them. The school paid the high price ransom in cryptocurrency to release the encrypted data.

In a statement, the university said, “our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted. The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed.”

“Out of an abundance of caution, we immediately isolated a wider range of the school’s servers than what the intrusion targeted and engaged a leading cybersecurity firm to assist in our response,” the school explained.

[RELATED: Conservative’s Instagram account ‘hacked by Communist sympathizers’ after China criticism]

The school assured that university officials are currently cooperating with the FBI to investigate the breach and measures are being explored to advance the university’s cybersecurity.

Computer security expert and 2011 Infosecurity Europe Hall of Fame inductee Graham Cluley, told Campus Reform that, “Paying extortionists following a ransomware attack undoubtedly encourages hackers to launch more ransomware attacks.  If no-one ever paid up, the cybercriminals would use other tactics.  So, in an ideal world, I’d like to see no ransoms ever being paid.”

“However, I think organizations hit by ransomware can be put in a very difficult position if they have no other easy way to recover from the attack, cannot restore from backups, etc.  In those cases - unpalatable as it may be - paying the ransom may be the only way to keep an organization running, keep people employed, and continue to do their important work,” Cluley added.

This is not the first time a university has been targeted by hackers. 

In 2019, Regis University was targeted in a similar fashion. Email, internet, phones, and the university’s website were all shut down while the attack was investigated and the threat was neutralized. The attack also involved ransomware, but university officials have not said how much was paid. 

[RELATED: Conservative student blocked by own school’s Twitter account]

Monroe College was also asked in July 2019 to pay a $2 million ransom to restore access to its website, email, and learning management system. It is unknown whether this attack involved ransomware.

The attacks at UCSF, Regis University, and Monroe College all occurred near the beginning of the fall semester, a time when access to university data is vital to starting a new academic year. 

Cluley concluded that “There’s no denying that it’s a deeply unattractive place to find yourself as an organization.  I just hope that those who pay learn their lesson, and ensure that proper defenses and recovery measures are put in place to avoid similar attacks in [the] future.”

UCSF did not respond in time for comment.