What is the state of the 'ransom negotiations' between hackers and universities affected by ransomware?

A wide range of companies and institutions such as hospitals and local governments have confirmed the damage caused by ransomware that encrypts the system of an infected computer and demands a ransom in exchange for a release key for recovery. Overseas media Bloomberg reports the ransom negotiations between the hacker who locked the server of the University of California San Francisco (UCSF) with ransomware and the 'negotiator' prepared by UCSF.

UCSF Hack Shows Evolving Risks of Ransomware in the Covid Era-Bloomberg
https://www.bloomberg.com/news/features/2020-08-19/ucsf-hack-shows-evolving-risks-of-ransomware-in-the-covid-era

On June 1, 2020, the servers used by UCSF's Epidemiology and Biostatistics department were compromised by a ransomware attack, leaving data inaccessible. The hackers said they used only seven servers to encrypt the data and stole at least 20GB of data.

The hacker has asked UCSF for a ransom of $3 million (320 million yen) instead of providing the unlock key to recover the data. UCSF decided to hire a private “negotiator” to negotiate instead of paying the ransom as it is or abandoning the payment and aborting the negotiation. Often, ransomware-attacked companies and agencies hire specialized negotiators to ensure the safety of their data while asking for concessions to reduce their ransom.

From June 5, UCSF negotiators entered the chat room prepared by the hackers and started ransom negotiations with the hackers. Bloomberg got this negotiation history, and it seems that you can confirm the request of the hacker and the response of the negotiator to it. Although UCSF does not mention the identity of the hacker, Bloomberg points out that the English used by the hacker had 'a quirk peculiar to a person whose native language is Russian'.

By the time the negotiator joined the chat room, it was '2 days and 23 hours' until the ransom payment deadline presented by the hacker. Hackers claimed that the ransom demand would be doubled if the deadline was exceeded, demanding that the ransom be paid before the deadline expired.

First, the negotiator said the ransomware attacked department was helping to develop a cure for the new coronavirus infection (COVID-19) and a vaccine, and researchers couldn't afford the time to back up the data properly. I hinted that. In addition to spending a large amount of money on research on COVID-19, UCSF also complained that it was difficult to pay the ransom because the university had to bear the interruption of classes due to the city blockade.

However, the hacker who attacked UCSF did not care the appeal of the negotiators, and for the university that makes more than $ 7 billion (about 740 billion yen) annually, millions of dollars (several hundred million yen) Replied that the ransom was not a big burden. Presenting some of the data that was actually stolen, he said, 'We are 100% confident that if we publish student records or data, we will lose more than the ransom we are requesting.' It was.

It should be noted that all the chats that Bloomberg got are in the process of 'negotiation', and not all the hackers and UCSF negotiators' statements are true. It is unclear whether the fact that the negotiator stated that 'the attacked department was conducting research on COVID-19 and the data backup was insufficient' was true.

At 2 days and 22 hours and 31 minutes remaining, UCSF negotiators complained that they needed to convene a university committee to make all decisions, and extended the ransom payment deadline by two days. Requested. The hacker only extended the ransom payment deadline for this request. 'In this case, the hackers were enjoying the conversation. It seemed to be part of the game,' said Moty Cristal, an Israeli ransomware negotiator, in his chat history.

At first glance, extending the ransom payment deadline seems to benefit only the victim and not the hacker. However, Cristal pointed out that the extension of the payment deadline allows 'hackers to investigate the stolen data'. If the stolen data contains the most important level of confidentiality, there is a risk that the other party will be able to meet the demand even if the ransom is increased, and there is a risk that negotiations will proceed favorably.

Throughout the negotiations, UCSF negotiators treated the hackers politely and sometimes even praised them. 'I'm going to work with you to solve the problem, but it requires mutual respect, isn't it?' said the negotiator even politely speaking to the hackers. In fact, the response seemed to be effective, and the hacker replied to the negotiator, 'We never underestimate clients who treat us with respect.'

Eventually, the negotiator can pay a ransom of up to $ 780,000 (about 82 million yen) if the university committee decides, but half of that, 390,000 (about 41 million yen) is realistic I suggested to the hacker that it was a perfect line. Hackers dismissed this as a very insulting proposal, threatening the option of sending UCSF student and faculty data to the Federal Trade Commission (FTC) , and responded that they should now make a serious proposal. That.

Hackers suggested that some of the stolen data was bad for the FTC to see, but the negotiators seemed to think it was a hack. 'We are not interested in the FTC. We just want to unlock the computer in order to get back the data. I know you want to make a lot of money in this negotiation, but here it is You just need to understand that you don't have cash,' the negotiator told the hackers.

The next day, the negotiator again proposed the same ransom of $780,000, the same as the previous day, but the hacker said, 'That $780,000 should be saved to buy McDonald's for all employees. No, but that amount is too small for us. How can I accept the amount of $780,000? It's just working,' he refused.

Negotiation officials said that from this time on, negotiations had a mutual feeling. “I haven't slept for a few days thanks to the negotiations. It is considered to have been done.” 'Please, what should I do?' The hacker replied, 'My friend, your team should understand that this is not your responsibility. All devices that connect to the Internet are vulnerable.' Of course, the words of the negotiators and hackers may be nothing more than a tactic of negotiation, and it is not always the case that the negotiator was alone.

On June 9, UCSF negotiators offered a ransom of just over $1 million (about 110 million yen), and hackers demanded $1.5 million (about 160 million yen). A good deal I thought I would like to share is that the school officials who knew about this issue offered $120,000 in support, saying the negotiations were close. Normally, we can't accept this donation, but if you agree to finish the negotiations quickly, we'll accept the donation. Won't both of us sleep well after the negotiations?' did.

Hackers accepted the offer and reached a ransom for $1.14 million (about 120 million yen). When UCSF paid the ransom with Bitcoin, the hacker sent a release key and then sent back all the data stolen and kept at hand, showing that the copy was deleted. All transactions were closed at 2:48 am on June 14th. At the end of the day, the hacker asked curiosity, “Which company are you?” to the UCSF negotiator, who didn't answer this question.