“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million…”


UCSF Under Attack

On June 3rd, 2020, The University of California San Francisco (UCSF) announced a portion of their school faced a data breach. The portion of UCSF affected is the UCSF School of Medicine. 

Reports indicate that the ransomware used to attack the school traces back to Netwalker Ransomware. After the discovery of the security incident and data encryption, UCSF decided to pay over one million dollars in ransom, for a decryption key. 

Now, let’s take a look at the incident in greater detail, to understand the attack in its entirety. 


USCF, The Institution

To begin, UCSF or The University of California San Francisco is a public research university located in, you guessed it, San Francisco. UCSF is one of the most difficult schools to gain acceptance to, for someone pursuing medicine. 

Further, UCSF is entirely dedicated to science and medicine, thus earning the reputation and title of one of the best schools and centers for medical research and teaching.  

Now, the school in every way, is ready to educate and train medical professionals; it’s what they do. But, what they were not prepared for, was a ransomware attack. This attack affected a portion of the school of medicine, but not all. 


The Attack

Continuing on, the portion of the school under attack reports that a portion of their IT department faced the ransomware. In a statement update from UCSF, they claimed that they were able to halt the attack.


We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network. Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work.


Following their initial update statement, UCSF claims that certain servers are now inaccessible due to the ransomware. This leads to the university working with cyber security experts in order to fix this problem. 


While we stopped the attack as it occurred, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible. Since that time, we have been working with a leading cyber-security consultant to investigate the incident and reinforce our IT systems’ defenses. We expect to fully restore the affected servers soon.


The Ransom

Moving on through the statement from the school, topics of recovery and quelling the situation appear. The solution decided upon by UCSF happened to be paying a portion of the ransom in order to receive a decryption key.

Further, this is a dangerous but possibly necessary move on the part of the school. There is yet to be confirmation on whether or not the key the received is valid. 

Nonetheless, UCSF paid $1.14 Million in order to gain access to their encrypted and stolen data.


The data that was encrypted is important to the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million. This is in exchange for a tool to unlock the encrypted data and the return of the data they obtained.


UCSF ends the statement with acknowledgement to continuing their investigation into the incident. The school is cooperating with law enforcement, and claims to share all the information about the attack that they can at the moment. 


By Taylor Ritchey