Monday, 29 June 2020

How hackers extorted $1.14m from University of California, San Francisco


hacker and university imageImage copyrightGETTY IMAGES
A leading medical-research institution working on a cure for Covid-19 has admitted it paid hackers a $1.14m (£910,000) ransom after a covert negotiation witnessed by BBC News.
The Netwalker criminal gang attacked University of California San Francisco (UCSF) on 1 June.
IT staff unplugged computers in a race to stop the malware spreading.
And an anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web.
Cyber-security experts say these sorts of negotiations are now happening all over the world - sometimes for even larger sums - against the advice of law-enforcement agencies, including the FBI, Europol and the UK's National Cyber Security Centre. 
Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months.
The dark web payment and negotiation site used by REvil
Image captionExperts say these sorts of negotiations are now happening all over the world
At first glance, its dark-web homepage looks like a standard customer-service website, with a frequently asked questions (FAQ) tab, an offer of a "free" sample of its software and a live-chat option. 
But there is also a countdown timer ticking down to a time when the hackers either double the price of their ransom, or delete the data they have scrambled with malware.
Instructed to log in - either by email or a ransom note left on hacked computer screens - UCSF was met with the following message, posted on 5 June.
Hacker chat box saying [Operator]: 'Hi UCSF, don't be shy we can work together on the current incident'
Six hours later, the university asked for more time and for details of the hack to be removed from Netwalker's public blog.
Hacker chat box saying 'Done. Your data is hide from our blog. Now, let's discuss.'
Noting UCSF made billions a year, the hackers then demanded $3m
But the UCSF representative, who may be an external specialist negotiator, explained the coronavirus pandemic had been "financially devastating" for the university and begged them to accept $780,000. 
Hacker chat box saying 'How can I accept $780,000? Is like, I worked for nothing. You can collect money in a couple of hours. You need to take is seriously. If we'll release our blog, student records/ data, I am 100% sure you will lose more than our price what we asked. We can agree to an price, but not like this, because I'll take this like an insult'
Hacker chat box saying Keep that $780,000 to buy McDonalds for your employees. Is very small amount for us.'
After a day of back-and-forth negotiations, UCSF said it had pulled together all available money and could pay $1.02m - but the criminals refused to go below $1.5m.
Hacker text saying 'I spook with my boss. I sent him all messages and he can't understand how a university like you: 4-5 billions per year. Is really hard to understand and realise you can get $1,020,895. But ok. I really think your accountant/ departments can get $500,000 more. So we'll accept $1.5m and everyone will sleep well.'
Hours later, the university came back with details of how it had procured more money and a final offer of $1,140,895. 
Hacker text saying 'Ok good. Now you can sleep well :D
And the next day, 116.4 bitcoins were transferred to Netwalker's electronic wallets and the decryption software sent to UCSF. 
UCSF is now assisting the FBI with its investigations, while working to restore all affected systems.
It told BBC News: "The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.
"We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.
"It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate."
Hacker imageImage copyrightIBRAVE
Image captionThe hackers and the university negotiated in a live chat on the dark web
But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: "Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities. 
"Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise."
Brett Callow, a threat analyst at cyber-security company Emsisoft, said: "Organisations in this situation are without a good option.
"Even if they pay the demand, they'll simply receive a pinky-promise that the stolen data will be deleted. 
"But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?"
Most ransomware attacks begin with a booby-trapped emaiI and research suggests criminal gangs are increasingly using tools that can gain access to systems via a single download. In the first week of this month alone, Proofpoint's cyber-security analysts say they saw more than one million emails with using a variety of phishing lures, including fake Covid-19 test results, sent to organisations in the US, France, Germany, Greece, and Italy. 
Organisations are encouraged to regularly back-up their data offline.
But Proofpoint's Ryan Kalember said: "Universities can be challenging environments to secure for IT administrators.
"The constantly changing student population, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack."

Saturday, 27 June 2020

Officials: Nearly 1/3 of Pakistani pilots have fake licenses, deadly plane crash probe reveals


Glasgow stabbing: Man shot dead named as Badreddin Abadlla Adam

  • 59 minutes ago
Related Topics

West George Street
Image captionFlowers have been left at West George Street where the attack took place
The man shot dead by police during a stabbing attack in Glasgow on Friday has been named as Badreddin Abadlla Adam. He was from Sudan.
The 28-year-old's identity is "based on information the deceased provided to the Home Office earlier this year", Police Scotland said.
PC David Whyte, 42, was one of six people injured in the attack at the Park Inn Hotel.
Police Scotland said it was continuing to "investigate the circumstances".
Suspect Mr Adam died after being shot by specialist officers from the force.
"The police discharge of firearms resulting in a fatality will also continue to be fully investigated by the Police Investigations and Review Commissioner (PIRC)," the force said.
"Both of these inquiries, which take place under the direction of the Lord Advocate, are ongoing and it would not be appropriate to speculate either about the events or the outcomes of these investigations."
PC David Whyte
Image captionPC David Whyte is being treated in hospital for serious injuries
PC Whyte was critically injured in the attack and described the scene as "something I will never forget".
Police said the other five casualties remained in hospital, one of them in a critical condition.
They have been described as three asylum seekers who were staying at the Park Inn Hotel at the time of the attack, and two hotel staff.
Nicola Sturgeon wished all those who were injured a "full and speedy recovery".
Presentational white space
Assistant Chief Constable Steve Johnson said the attack was not being treated as terrorism.

Why cows may be hiding something but AI can spot it

  By Chris Baraniuk Technology of Business reporter Published 22 hours ago Share IMAGE SOURCE, GETTY IMAGES Image caption, Herd animals like...