Cyber Incident Victim: University of California, San Francisco

On June 1, 2020, attackers encrypted servers within the University of California San Francisco’s School of Medicine, disrupting access to academic research data. The Netwalker ransomware group claimed responsibility for the attack, which specifically targeted a limited number of servers but did not impact COVID-19 research projects, patient medical records, or clinical operations at the affiliated UCSF Medical Center. Following the encryption, UCSF engaged in negotiations with the attackers through a dark web chat channel, initially offering $780,000 for a decryption tool. The attackers ultimately demanded and received a $1.14 million ransom payment, which the university paid to regain access to its encrypted data. The BBC reported observing these negotiations in real time through an anonymous tip, publishing excerpts of the chat exchanges where the criminals pressured the institution.

UCSF confirmed the payment on June 26, 2020, stating the decryption process was underway with assistance from external cybersecurity experts. The university emphasized that no patient care systems were compromised and that the affected servers primarily contained academic research data critical to public health initiatives. Netwalker, identified by security researchers as a group that ignored voluntary bans on targeting healthcare entities during the pandemic, employed media attention as leverage, with the BBC’s coverage amplifying pressure on UCSF during negotiations. The university restored the encrypted servers following the payment but did not disclose whether backups were available or utilized in the recovery process. Cybersecurity analysts noted this incident exemplified ransomware groups’ evolving tactics of publicizing attacks to coerce victims into paying ransoms despite official advisories against such payments.