Malware attacks on prominent businesses and institutions are nothing new. But experts say the shift to working from home amid the COVID-19 pandemic may be making it easier for hackers to find a way in.
UC San Francisco announced that it had paid a ransom of $1.14 million to hackers in June to recover data from its School of Medicine that had been encrypted with malware. The incident marked the third in a string of recent cyberattacks carried out against universities.
According to UCSF, the hack did not affect patient care delivery operations or research on COVID-19.
The prestigious medical school is among several universities targeted by ransomware — where hackers demand payment to release or restore the infected data — in recent months. “Netwalker,” the ransomware software responsible for the UCSF hack, was used to carry out similar attacks against Michigan State University and Columbia College, Chicago in late May and early June. Michigan State opted not to pay its ransom at the advice of law enforcement, which resulted in financial documents and personal information from the university being published online.
The attacks haven’t been limited to universities either. A search on Twitter reveals numerous additional organizations that have purportedly been targeted by Netwalker, from a Long Beach country club to a health care provider in Philadelphia. Overseas, a cyberattack in June against Honda brought car factories to a halt around the world.
Since COVID-19 lockdowns began, cybersecurity experts have been scrambling to rebuild company systems for remote work and manage security for thousands of employees now working from home.
“One of the big four financial accounting firms is a client of ours,” said Bill Conner, president of network security company SonicWall. “I got a call in March … that said ‘Bill, I’ve got to have, like, 400,000 (employees) now turned on immediately for secure mobile access.'”
Carolyn Crandall, chief deception officer at computer security service Attivo Networks, said that connecting to sensitive servers from home comes with many new risks because personal computers can be more vulnerable to malware, and remote connections can be expensive to secure. With employees connecting from various locations and devices, it’s also harder to monitor for suspicious activity.
All this means more opportunities for hackers to launch cyberattacks.
“In most cases, these are not brand new exploits, (attackers) are not creating new malware,” Conner agreed. “They’re just attacking more vulnerable areas. There’s more easy access from home than there was in a building because you have multiple layers of security in your office.”
Crandall said that Attivo has observed an uptick in ransomware attacks in recent months among its clients that she fears could eventually lead to further high-profile breaches.
“I hope I’m wrong, that the shoe’s not about to drop, but I fear given what we know as security professionals that there is definitely an increased risk,” she said.
Hackers struck UCSF on June 1 with malware that encrypted data on some of the School of Medicine’s servers, rendering them inaccessible. The hackers demanded a ransom payment to release the data — a demand that UCSF begrudgingly met on June 6 after a day of negotiation on a dark-web website.
“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the university wrote in a news release. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”
According to Crandall, it’s not uncommon for companies to pay out even hefty ransoms to quickly recover their information from hackers. But ransom demands from cyberattacks usually range between the $1,000 to $100,000 range, she said, depending on the size of the business. UCSF’s bounty was unusually high.
“That was a massive payout,” Crandall said. “The data they were protecting or needing to get back must have been pretty important.”
The university is working with the FBI and a “leading cyber-security expert” to investigate the attack and expects to be able to restore the affected data soon.
The best defense against ransomware attacks, experts agree, is to not get breached in the first place. Conner recommends that businesses ensure they’re using multi-factor authentication for their apps and services and maintain rigorous backups of their information.
Crandall said that in the event of a successful attack, companies are generally advised not to pay the ransoms demanded of them.
“Inherently, (paying) doesn’t guarantee the return of the data or that the decrypter (to recover files) is going to work,” Crandall said. “And there’s always a chance that even if you pay the first time, they may come back and hit you again.”
