The University of California, San Francisco (UCSF) says it paid cybercriminals $1.14 million (£1 million) to decrypt a “limited number of servers” in its School of Medicine that were hit by ransomware this month.

The University said that data encrypted in the attack (earlier attributed to the Netwalker ransomware family) was “important to some of the academic work we pursue as a university serving the public good.

It added: “We therefore made the difficult decision to pay… for a tool to unlock the encrypted data and the return of the data they obtained.”

The University – which has 10 campuses around California —  was hit by the ransomware attack on June 1. It said that it had “successfully isolated the incident from the core UCSF network… We believe that the malware encrypted our servers opportunistically, with no particular area being targeted.”

This University, which had an operating budget of $39.8 billion in 2019-20, was earlier reported by Bloomberg to be conducting clinical trials of potential COVID-19 treatments, as well as coronavirus antibody testing. It was not immediately clear if servers relating to this work were hit in the attack.

It isn’t entirely clear how the threat actors behind the Netwalker ransomware campaign gain an initial foothold into the networks they target, says Sophos, which “stumbled upon” a cache of tools used by the cybercriminals in late May. The British security firm added: “There are hints they take advantage of well-known, heavily publicized vulnerabilities in widely used, outdated server software (such as Tomcat or Weblogic) or weak RDP passwords.”

University of California ransom

Sophos notes the Netwalker group’s use of a “comprehensive set of tools used to perform reconnaissance on targeted networks; privilege-elevation and other exploits… and utilities that can steal, sniff, or brute-force their way to valuable information (including Mimikatz, and variants called Mimidogz and Mimikittenz, designed around avoiding detection by endpoint security).”

In an archive of tools left on a server used by the group, Sophos also found a “number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools”.

It is unusual for an organisation to publicly admit paying a ransom. Security professionals typically warn that it can expose institutions to further attacks.

The UCSF said: “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates.

“We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share.”

See also: Grasping at Thin Air? Can Ransomware Criminals Actually *Be* Caught?