author photo
By SecureWorld News Team
Thu | Jul 2, 2020 | 4:53 PM PDT

We expect high stakes negotiations to make or break things.

From mergers and acquisitions, to labor negotiations, to pretrial settlements that keep a lawsuit from going to court.

Now we must add another type of high stakes negotiation to the list of items organizations should prepare for: negotiating with hackers who are demanding millions of dollars following a ransomware attack.

And we're about to see how recent negotiations went back and forth between cybercriminals and a victim organization, including the posturing from both sides.

You will see how it resulted in a seven-figure payout to hackers.

The University of California vs. Netwalker ransomware operators

It was the morning of June 1, 2020, when the IT team at the University of California-San Francisco (UCSF) noticed something was wrong; a cyberattack was underway.

"While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible," the university said.

And those servers, like servers at any organization, contained valuable information which was encrypted by the ransomware. The hackers also apparently stole some of it and posted it online as a preview of more leaks to come. Unless, of course, the organization paid up, which it did.

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

Now that we know how the attack started and ended, let's get to the really interesting stuff. By that, we mean the actual negotiations between Netwalker ransomware operators and the University of California-San Francisco.

The ransomware negotiation and conversation

After the UCSF ransomware attack began, an anonymous tip came in to the BBC News team, which pointed BBC reporter Joe Tidy to a place where he could watch the high stakes negotiations happening. Here's what he saw in the back and forth.

At first, UCSF officials were instructed to log in to a portal and found a welcome message:

Tidy says at the onset, hackers told the university the ransom demand was $3 million.

UCSF, or its negotiators, asked for hackers to take down information they had posted, to get things rolling.

[Netwalker hackers] "Done, your data is hide from our blog. Now let's discuss."

Hackers explained that UCSF had more than $5 billion in annual revenue, so a $3 million ransom seemed reasonable.

The university responded by offering $780,000 and explained that the coronavirus had been very costly to the university.

[Netwalker hackers] "How can  I accept $780,000? is like, I worked for nothing. You can collect money in a couple of hours. You need to take is seriously. If we'll release our blog, student records / data, I am 100% sure you will lose more than our price what we asked. We can agree to an price, but not like this, because I'll take this as insult."

Keep that 780,000 to buy McDonalds for your employees. Is very small amount for us."

In his BBC article, Tidy says back and forth negotiations continued for a day until the University of California came up. It now offered a ransom of $1.02 million. 

Then, the high stakes negotiating continued.

[Netwalker hackers] "I speak with my boss. I sent him all messages and he can't understand how a university like you: 4-5 billions per year. Is really hard to understand and realise you can get $1,020,895. But okay. I really think your accountant / department can get $500,000 more. So we'll accept $1.5m and everyone will sleep well."

With the two sides still almost $500,000 apart, it was the university's move.

A few hours later, Tidy writes, UCSF made a final offer of $1,140,895.

Hackers squeezed nearly another $120,000 from the university.

[Netwalker hackers] "Ok, good. Now you can sleep well. Well can you pay?"

A quick look at the ransomware math

In the final analysis, we see that hackers went from a $3 million ransom demand to accepting $1.14 million, or 62% less than their initial asking price.

On the university side of things, they paid 46% more than their starting offer of $780,000.

Ransomware attacks becoming more devastating and effective

About the same time that this seven-figure ransom was revealed, SecureWorld interviewed cybersecurity thought leader Joseph Steinberg about the increasing severity of ransomware attacks, where data is stolen as a means of extortion.

"The reasons it is getting worse are actually pretty simple. Reason number one is it makes a lot of money for criminals, and they're gonna go and run the kinds of attacks that make money.

If you run an attack that seizes the data of a company that relies on that data to operate or to compete, what's that data worth to them? I mean, you know, that's extremely valuable. It could be their lifeblood. So they're willing to pay in many cases, as more and more systems become electronic and smart.

It's also a matter of time, even if they had the ability to recover their data. If it takes them two days, and the loss of two days' revenue is greater, it's gonna cost them more to recover the data than just paying the ransom. They'll pay the ransom.

If you're talking about a healthcare facility, and someone could die in the time that it takes to get the data, because they need the data in order to take care of people, they're gonna pay the ransom.

As the data that's being stolen is more significant, ransomware becomes a more and more lucrative attack."

The most successful ransomware operators pulling down the largest ransoms are not taking a shotgun approach, Steinberg says. Instead, they are going after targets who can afford to pay.

"They're studying the targets, they're putting out a targeted attack, and demanding a very large ransom from someone who can afford to pay it and be would be willing to pay it. For the reasons that we mentioned before, that it's actually in their financial interest to do so."

Clearly, the University of California-San Francisco believed it was in the organization's best interest to pay hackers a seven-figure ransom.

And now we have a lot better insight into how the negotiations progressed. 

Related podcasts

Listen to the rest of our interview with Joseph Steinberg as we talk ransomware, insider threat risk, IoT security, and translating security risk to the business:

Also, check out our interview with one of the top cyber investigators at the United States Secret Service as we discuss the Enterprise Business Model of Cybercrime:

Tags: Ransomware,