UCSF ransomware attack: University had data protection but it wasn’t used on affected systems

The University of California San Francisco (UCSF) paid $1.14m in bitcoin (116.4 bitcoin) to ransomware attackers in June to recover encrypted files, despite having at least one deal in place providing it with data protection. However, Blocks & Files understands the University did not apply the vendor’s product to the affected systems’ files.

UCSF changed its data protection from Commvault to Rubrik in August 2019, according to an announcement by Susanna Chau of its Data Centre Services unit. Part of the reason was improved security. Chau said at the time that Rubrik’s Atlas file system is immutable and not accessible over the network, preventing ransomware attacks from getting to it.

On June 1 ransomware attackers encrypted files within “a limited number of servers within the School of Medicine” IT environment. B&F understands the Rubrik solution was not in place on the servers in question at the time of the attack. It is not known if the university had other mitigation in place; if it did, this clearly failed.

UCSF was able to limit the NetWalker ransomware attack as it was occurring by quarantining the compromised servers, thus isolating them from the main network. At the time, the University described the criminal targeting of those specific systems as “opportunistic”.

Clearly, the School of Medicine data was important, and UCSF soon began negotiations with the criminals. After haggling them down from an initial $3m demand, the UCSF IT crew received a decryption key and recovered the files towards the end of June.

A June 26 UCSF statement said: “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

UCSF Parnassus Heights campus

By paying the ransom, UCSF confirmed that its data protection arrangements for these servers was inadequate. The encrypted file contents self evidently could not be restored from any backups, if they existed.

Neither UCSF nor Rubrik would provide official statements and we don’t know what, if any, data protection measures were in place for the affected servers.

Our understanding after talking to sources close to the situation is that the encrypted file systems were not protected by the Rubrik software. Meanwhile, UCSF appears to be a satisfied Rubrik customer and continues to use its technology.

UCSF is a research university exclusively focused on health and has schools dedicated to Medicine, Pharmacy, Dentistry and Nursing. The School of Medicine has 2,719 full-time faculty staff across seven sites in San Francisco and a branch in Fresno in the San Joaquin valley.