SAN FRANCISCO—Netwalker, a dark web ransomware operation, has persuaded the University of California San Francisco (UCSF) to pay over $1 million in an extortion scheme. Netwalker initially attacked UCSF on June 1. UCSF stated that its IT staff immediately unplugged the university’s computers in a bid to stop the malware spreading, but the damage was done as Netwalker demanded a ransom, which the institution negotiated and paid on June 28. According to a statement on UCSF’s website: “Our investigation is ongoing, but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted. The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates.”

Netwalker’s website is on the dark-web, but its homepage looks like a standard customer-service website, with features such as an FAQ tab, a live-chat option, and an offer to download a “free” sample of its software. It remains unknown how exactly UCSF’s computer system got hacked, but they were met with a ransom note left on hacked computers screens. The university explained that operators threatened to release student records and data, as well as their academic research if the university could not meet their ransom demand of $1 million. 

After a day of back-and-forth negotiations, UCSF said that it had pulled all available funds and could pay $1.14 million, and the amount was paid off in bitcoin to Netwalker’s electronic account.

UCSF is now working with the FBI to investigate, and is also working to restore all affected systems. Student records, medical records, and research were not released and still remain secure.