top of page
Writer's pictureAbu Hasnat Mahfuj

The University of California Ransomware Attacks

In June 2020, the Netwalker ransomware attack was launched to attack the University of California particularly the school of Medicine IT environment. At first, it was assumed by the authority that it did not impact their research work or patient care operations but later the authoritydiscovered the ample number of servers were attacked and files were encrypted, where the University of California paid a ransom amount of $1.14 million (Al-rimy, Maarof & Shaid 2018). Ransomware threatens to publish data from a computer system and blocks further access within the system. It is malicious software that works through the encryption process to ask for ransom. In most cases, the deadline is set for the demand and if not paid on time, data is gone forever. It has become a commonissue nowadays and major companies in North Americaand Europe havefall a victim to it (Aniello et al. 2018). In today’s era sharing information from over the internet has become popular and the rate of stealing the data. Cybercriminals attack any kind of business and victims regardless of their organizations (Wani & Revathi 2020). The core conceptof crime over the internet has remained the same but the ground has now changed. Many government security agencies including the FBI advises not to pay for the ransomware as this malware is likely to stay forever into the system and can repeat a similar attack in the future (Dullea, Budke& Enko 2020). These cybercriminals have changed their technique and become more creative by accepting completely untraceable payment methods. Ransomware facts and infection vectors Most of the infection vectors are injected through the user’s interactions such as clicking the malicious link either in email or by visiting the compromised website. Malware in this type of attack does not require user engagement to be successful, it is disseminated through malvertising or simple downloads. While all ransomware defects are innovative, scattered across aimless virusroutes, for example, individuals examined beyond, in a link of extraordinarily unusual incidences digital hazard explicitly emphasize on a victim (Kharraz, Robertson & Kirda 2018). This may ensue following the realization that a fragile aspect has been infected or pondering explicit infection activities. The Federal Bureau of Investigation (FBI) indicates these circumstances as extortion, as opposed to ransomware, there is the extremely frequenthigher settlement that


matches (Anderson 2016). Such was the conditionin 2016 when a few clinics were attacked deliberately by ransomware and focused on ransomware news.

Figure 1 Ransomware (University of California San Francisco 2020) In recent years, there are a variety of ransomware variations that have highlighted and extendedmuch information to incorporate exfiltration, interest in disseminated renouncing of administration (DDoS) attacks and intimidating to site sectors. One of the variations has erased the record despitean installment was made. One More variant combines the capability to lock up cloud-based backups when structures constantly back up gradually. Distinct variants focused on IoT-based gadgets and mobiledevices (Anderson 2016). Uncommonly, a few variants of cases have been recorded from the local government law authorization that accused individuals owe either expenses or fine. Some of them are accused of leading criminal operations and participating in sexual entertainment. To generate more authentic information about the target, it is a goal for the attackers to utilize new strategies regardless of their geographical area (Al-rimy, Maarof & Shaid 2018). It is almost impossible for law enforcement officers to provide security to everyone’s computer system. Thus, no law enforcement officers will provide any view to remotely block access to a computer system to open it. Implementation of the University of California ransomware-attack Ransomware is malwarethat encrypts victim'simportant files. As a result of the encryption, the attacker then demands a ransom to restore access to the encrypted file after payment has been made. Due to a lack of securitymeasurements, on June 1, 2020, the ransomware attacked the


Faculty of medicine((Wani & Revathi2020). This attack caused encryption of many privatedocuments within the limited number of university servers. It was later investigated that the expired securitymeasurement made the system vulnerable to any kind of malicious attack.

Figure 2 How attackHappens (Block & Files 2020). In such ransomware attacks, the attackers are not identified easily which remainsa serious threat for the target. BBC said that before this incident the university had a deal with a third-party IT security provider as the university does not have enough manpower for their web security. This had been identified as the main reason for this attack and later it was found that all the computer system at Medicine Facultywas running on Windows OS which had common security threats. As the faculty had a weaker security system, their computer security mechanism was easily exploited by the attackers and the attackers took over the file access (Dullea, Budke& Enko 2020). Two types of ransomware attacks were launched and were put into the university servers to encrypt the files. Attackers used Lockerand Crypto both methods for this attack.After getting into the vulnerable system, the attackers first injected the Locker ransomware and took full control over the system without manipulating any data in the server. Later after another malicious file was injected into the servers, known as Crypto that blocks all access of the important files on the server. Both this ransomware has similar injecting methods, but their outcomes are different and impactful.


The impactof the malware attack This malicious attack had impacted the faculty of medicine the most as the cybercriminals have not declared any ceasefire against medical targets even in the global COVID-19 pandemic. The Netwalker hackers had taken down the website of the public health district and had limited access to the server (The Hill 2020). This cyber-attack did not directly impact the patients at the hospital or any delivery operations, but it had a minor impact on the research on the COVID-19 vaccine (Dullea,Budke & Enko 2020).. Althoughhackers did not expose any private information of the patients, it was at risk of going public. The university authority was unable to limit themalicious attack because it was occurring within the compromised servers and was also quarantining the server repeatedly. As a result, it was isolating the University authority from getting back the access. Later, in a press briefing, the University authority pointed the attack as “Opportunistic” as they were targeting the specific systems continuously (Kharraz, Robertson & Kirda 2018). Although some IT staff tried to unplug all the computers from the central systems in a race to stop the ransomware from spreading. But all their efforts failed because the whole server was alreadycompromised. Recovery from the attack It was clear that the data was important for the school of medicine and the university authority started negotiation with the criminals to get back the data. On June 26, the University authority said in a statement that the encrypted data was crucial for their academic works as they are servingthe public good (Wani & Revathi 2020). The university authority had confirmed that their data protection systemwas inadequate in these serversand the encryptedfiles self-evidently could not be restored from any backups. Thus, it forced the authority to pay a huge amount of ransom. An initial $3m was demanded by the Netwalker criminals as ransom but after haggling negotiation, the university authority then paid approximately $1.14m in exchange to unlock the encrypted files. In a couple of days' procedures, the IT staff had received the decryption key from the hacker and recovered all the encrypted files.



Figure 3 Encrypted Interface of System (Block & Files 2020). As part of the recoveryprocess, the university authority then contacted the hackers througha dark web page where it looked like a standard customerservice website. Even the homepagehad options for a sample of software and live chat options for the end-users (Nadir & Bakhshi 2018). The attackers had implemented a countdown timer, failure to pay the ransom within that period will double the ransom amount or delete the scrambled data. The instructions were given on a computer screen about login and the hackersleft a note on the hacked computersystem. In a couple of days period, the negotiation continued, and they decided to pay 116.4 bitcoins to the Netwalker’s electronic wallet, and the attackers then sent the decryptedsoftware to the university authority. Approximate damage and redundancy of ransomware Usually, booby-trap is used for most cases of ransomware and research have suggested that its practice is increasing surprisingly with more improved method day by day. Proofpoint’s Cybersecurity specialist said that alone in January 2021, a varietyof phishing emails that includefake covid 19 results, have been sent to organizations in various countries (Pletinckx, Trap & Doerr 2018).


Cybercrime has spread throughout the world and there are a lot of automatic tools available for hacking. Thesetools allowed anybodyto become a cybercriminal in seconds. The popularity of ransomware has grown with the increased usage of cryptocurrency all over the world (Nadir & Bakhshi 2018). It is a digital currency that is highly secured and anonymous and uses the encryption methodfor verification and transactions.

Figure 4 Ransomware damages between2015-2021 (Hassed out 2019) From figure 4, we can get the idea of the devastating damage ransomware caused from 2015 to 2021. To get rid of such incidents, expertsalways mention ways to follow. Data backups, blockharmful/suspicious websites, and apply the filter in the emails to eliminate the risk and reduce the numberof malware (Zimba, Wang & Chisimba 2021). Reason for frequent and effective ransomware attack The University of California authority had changed their data protection method recently just before the incident occurred. They completely movedfrom Commvault to the Rubrikin August 2020. In a post-attack investigation, the university authority found that due to a lack of security from the previous security providers, the Nerwalkers found it easy to attack the servers. They also found some of the reason behindthis incident such as; · User Awareness Issue


Lack of knowledge of the victim has made it easier for the ransomware attack to become successful. They are simply unaware of the threat and pay the ransom to get rid of the infection. To prevent such ransomware attacks, right and complete knowledge are needed but lack of knowledge fails to detect the threat. This results in further damage to their systems (Pletinckx, Trap & Doerr 2018). · Agree for payment. Ransomware is considered the most awful and devastating malware by the victims in most cases and the fear of losing important information forces them to pay hackers. There is a misconception that most victims think that they will get back their data safely after paying the ransom. But the reality is a bit different. Paying the ransom money does not work accordingly every time (Nadir & Bakhshi 2018). · Lack of protection The success rate ofransomware is increasing day by day because most of the victims do not have enough to prevent unauthorized access and block intruders from the system (Pletinckx, Trap & Doerr 2018). Security measurement should be followed in organizations while surfing on the internet and handling theiremails. There are severalblogs working to increase awareness on how to stay safe from malware. · Versatile spreading technique The ransomware attack has become so versatile that it is almost impossible to stop it. It changes the methodand style frequently to adopt new techniques to replicate the devastating damage.For instance, WannaCryransomware used WindowsSMB to spread throughout the network (Nadir& Bakhshi 2018). It has attackedmostly those who had their SBM opened to the internet. Even in recent surveys, it has been found that developers are now trying new methods to inject malicious code into Microsoft Officeas well. Summary Ransomware has hit associations in essentially every vertical, with quite possibly the most renowned virusesattack was on Presbyterian MemorialHospital. This attackfeatured the likelyharm and dangersof ransomware. Labs, drug stores, and trauma centers were hit. In my selective cases and scenarios,the impact of ransomware attacks may not be so devastating, but it causes too much anxiety and hassle for the organizations. It is quite noticeable from thegraphs and imageshow cyber-attacks have evolved in recent years.We cannot secure acomputer


system 100% but strong knowledgeand precautions can be helpfulin reducing the damage and hassles causedby malware attacks. References Al-rimy, BAS, Maarof,MA & Shaid, SZM 2018, ‘Ransomware threatsuccess factors, taxonomy,and countermeasures: A survey and researchdirections’ Computers& Security, vol. 74, pp. 144-166. Anderson, W 2016, ‘Protecting Yourself from Ransomware and Cyber-Attacks’, 33 GP Solo, Vol. 33, No. 5, PP. 48-52. Aniello, C, Francesco, M, Vittoria, N, Santone, A & Visaggio,CA 2018, ‘Talos:No more Ransomware Victims with Formal Methods’. BBC News 2020, How hackers extorted$1.14m from University of California, San Francisco, Viewed on 28th April <https://www.bbc.com/news/technology-53214783>. Blocks & Files 2020, UCSF ransomware attack: University had data protection, but it was not used on affected systems,Viewed on 27th April < https://blocksandfiles.com/2020/08/18/ucsf-ransomware-attack- data-protection/>. Dullea, E, Budke, C & Enko, P 2020, ‘Cybersecurity Update:Recent Ransomware Attacks Against Healthcare Providers’, Missouri State Medicine Association, Vol. 117, No. 6, PP. 533-534. Hassed out, Ransomware Attacks Surpasses $7.5 Billion in 2019 2019, Viewed 30th April 2021, < https://www.thesslstore.com/blog/ransomware-statistics/>. Kharraz, A, Robertson, W & Kirda, E 2018, ‘Protecting against ransomware: A new line of research or restating classicideas?’ IEEE Security & Privacy, vol. 16, no.3, pp. 103-107.


Nadir, I & Bakhshi, T 2018, March, ‘Contemporary cybercrime: A taxonomy of ransomware threats & mitigation techniques’ In 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), pp. 1-7, IEEE.

Pletinckx, S, Trap,C & Doerr, C 2018, May, ‘Malwarecoordination using the blockchain: An analysis of the cerber ransomware’, In 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1-9, IEEE.

The Hill 2020, University of California victim of ransomware attack, Viewed on 29th April

<https://thehill.com/policy/cybersecurity/546335-university-of-california-victim-of-ransomware-attack>.


University of California 2020, A type ofmalicious software designedto block computersystem access, until a sum of money is paid, viewed 30th April 2021.<https://it.clas.ucsf.edu/article/the-rise-of- ransomware-attacks/#prettyPhoto>.

Wani, A & Revathi,S 2020, ‘ Ransomware protection in IoT using software definednetworking’,

International Journal of Electrical & Computer Engineering, Vol.10, No. 3, PP. 3166-3175.


Zimba, A, Wang, Z & Chisimba,M 2021, ‘Addressing Crypto-Ransomware Attacks: Before You Decidewhether To-Pay or Not-To’, Journal of Computer Information System, Vol. 61, No. 1, PP. 53-63.

8 views0 comments

Recent Posts

See All

Blockchain Technology

Blockchain technology is often referred to as Distributive Ledger Technology. It uses cryptographic hash and decentralisation to make...

Comments


bottom of page