How hackers extorted $1.14m from University of California, San Francisco

By Joe TidyCyber reporter 

• 2 hours ago

• Share this with Facebook
 
• Share this with Messenger
 
• Share this with Twitter
 
• Share this with Email
 
• Share

Related Topics

• Coronavirus pandemic

Image copyrightGETTY IMAGES

A leading medical-research institution working on a cure for Covid-19 has admitted it paid hackers a $1.14m (£910,000) ransom after a covert negotiation witnessed by BBC News.

The Netwalker criminal gang attacked University of California San Francisco (UCSF) on 1 June.

IT staff unplugged computers in a race to stop the malware spreading.

And an anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web.

Cyber-security experts say these sorts of negotiations are now happening all over the world - sometimes for even larger sums - against the advice of law-enforcement agencies, including the FBI, Europol and the UK's National Cyber Security Centre. 

Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months.

Image captionExperts say these sorts of negotiations are now happening all over the world

At first glance, its dark-web homepage looks like a standard customer-service website, with a frequently asked questions (FAQ) tab, an offer of a "free" sample of its software and a live-chat option. 

But there is also a countdown timer ticking down to a time when the hackers either double the price of their ransom, or delete the data they have scrambled with malware.

Instructed to log in - either by email or a ransom note left on hacked computer screens - UCSF was met with the following message, posted on 5 June.

Six hours later, the university asked for more time and for details of the hack to be removed from Netwalker's public blog.

Noting UCSF made billions a year, the hackers then demanded $3m

But the UCSF representative, who may be an external specialist negotiator, explained the coronavirus pandemic had been "financially devastating" for the university and begged them to accept $780,000. 

After a day of back-and-forth negotiations, UCSF said it had pulled together all available money and could pay $1.02m - but the criminals refused to go below $1.5m.

Hours later, the university came back with details of how it had procured more money and a final offer of $1,140,895. 

And the next day, 116.4 bitcoins were transferred to Netwalker's electronic wallets and the decryption software sent to UCSF. 

UCSF is now assisting the FBI with its investigations, while working to restore all affected systems.

It told BBC News: "The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.

"We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.

"It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate."

Image copyrightIBRAVE

Image captionThe hackers and the university negotiated in a live chat on the dark web

But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: "Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities. 

"Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise."

Brett Callow, a threat analyst at cyber-security company Emsisoft, said: "Organisations in this situation are without a good option.

"Even if they pay the demand, they'll simply receive a pinky-promise that the stolen data will be deleted. 

"But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?"

Most ransomware attacks begin with a booby-trapped emaiI and research suggests criminal gangs are increasingly using tools that can gain access to systems via a single download. In the first week of this month alone, Proofpoint's cyber-security analysts say they saw more than one million emails with using a variety of phishing lures, including fake Covid-19 test results, sent to organisations in the US, France, Germany, Greece, and Italy. 

Organisations are encouraged to regularly back-up their data offline.

But Proofpoint's Ryan Kalember said: "Universities can be challenging environments to secure for IT administrators.

"The constantly changing student population, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack."

Officials: Nearly 1/3 of Pakistani pilots have fake licenses, deadly plane crash probe reveals

By Munir Ahmed and Asim Tanveer

Thursday, June 25, 2020 12:00PM

EMBED <>MORE VIDEOS 

From May 22, 2020: A passenger plane with 107 people on board crashed in a crowded neighborhood on the edge of the international airport near Pakistan's southern port city of Karachi on Friday.

ISLAMABAD -- The latest: Pakistan's state-run airline announced Thursday it would ground 150 pilots on charges they obtained their pilot licenses by having others take exams for them.

Abdullah Hafeez, a spokesman for Pakistan International Airlines, said the decision comes after a probe into last month's PIA crash that killed 97 people in the city of Karachi.

Hafeez, without sharing specific details, said a process to remove the 150 pilots who possessed tainted licenses had been initiated.

"We will make it sure that unqualified pilots never fly aircraft again," he told The Associated Press.

The move by PIA to ground the pilots comes a day after the country's aviation minister, Ghulam Sarqar Khan, said 262 out of 860 pilots in the country had "fake" licenses. He made the revelation while presenting preliminary findings to parliament of a probe into the May 22 Airbus A320 aircraft crash in Karachi.

This is a breaking news update. A previous version of this report is below.

Pakistan's aviation minister said Wednesday that "human error" on the part of the pilot, the co-pilot and air traffic control caused last month's Pakistan International Airlines crash in the port city of Karachi that killed 97 people.

The announcement shed new light on the tragedy after Pakistani investigators earlier said only that the crash resulted from engine failure. It also revealed previously unconfirmed details, including that the plane had made a failed attempt at landing during which its engines apparently scraped the runway, causing significant damage.

The plane went down in a residential area near Jinnah International Airport on May 22, just days after Pakistan lifted restrictions imposed over the coronavirus pandemic and resumed domestic flights ahead of the major Muslim holiday of Eid al-Fitr, which marks the end of the Islamic holy month of Ramadan.

Pakistan had been in a countrywide lockdown since mid-March because of the virus.

When flights resumed in May, every other seat on planes was left vacant to promote social distancing, including on the doomed Pakistan International Airlines flight.

There were only two survivors of the Airbus A320 crash, which was carrying 91 passengers and eight crew members. A 13-year-old girl from the neighborhood where the plane went down was critically injured and later died in a hospital.

Aviation Minister Ghulam Sarwar Khan, presenting preliminary findings in Pakistan's probe into the crash in parliament, said the pilot ignored instructions from air traffic control while trying to land.

According to the cockpit voice recorder, which was later found among the debris on the ground, the pilots had discussed the coronavirus throughout the flight, which had apparently affected their families.

Pakistan reported 60 more COVID-19 deaths, increasing its fatalities from the new coronavirus to 3,755. Pakistan has reported 188,926 cases since February when it reported its first confirmed case. In a bid to contain the virus, Pakistan's government has sealed off high-risk residential areas across the country.

The crash took place when the plane attempted to land a second time. Air traffic control told the pilot three times that the plane was too low to land but he refused to listen, saying he would manage, Khan said.

The minister added that for its part, air traffic control did not inform the pilots about damage caused to the engines after the plane's first failed landing attempt.

"The engines of the plane were damaged when they scraped the runway but the air traffic control did not inform the pilot," he said.

"Thus, pilots and ATC both did not follow protocols," Khan told the National Assembly, the lower house of parliament.

Khan insisted the plane's crew was healthy and the Airbus A320 was completely fit to fly and "had no technical fault" prior to the crash. A full report on the crash is expected in a year's time.

He said both the pilot and the co-pilot were extremely experienced but "due to overconfidence and lack of focus," the tragedy took place.

Just minutes before the crash, the flight crew declared an emergency and stated that both engines had failed, Khan read from the report.

"The aircraft crashed about 1,340 meters short of the runway," he said.

Glasgow stabbing: Man shot dead named as Badreddin Abadlla Adam

• 59 minutes ago

• Share this with Facebook
 
• Share this with Messenger
 
• Share this with Twitter
 
• Share this with Email
 
• Share

Related Topics

• Glasgow stabbings

Image captionFlowers have been left at West George Street where the attack took place

The man shot dead by police during a stabbing attack in Glasgow on Friday has been named as Badreddin Abadlla Adam. He was from Sudan.

The 28-year-old's identity is "based on information the deceased provided to the Home Office earlier this year", Police Scotland said.

PC David Whyte, 42, was one of six people injured in the attack at the Park Inn Hotel.

Police Scotland said it was continuing to "investigate the circumstances".

Suspect Mr Adam died after being shot by specialist officers from the force.

"The police discharge of firearms resulting in a fatality will also continue to be fully investigated by the Police Investigations and Review Commissioner (PIRC)," the force said.

"Both of these inquiries, which take place under the direction of the Lord Advocate, are ongoing and it would not be appropriate to speculate either about the events or the outcomes of these investigations."

Image captionPC David Whyte is being treated in hospital for serious injuries

PC Whyte was critically injured in the attack and described the scene as "something I will never forget".

Police said the other five casualties remained in hospital, one of them in a critical condition.

• Glasgow stabbings: What we know
• Concerns over asylum hotel plan ahead of stabbings

They have been described as three asylum seekers who were staying at the Park Inn Hotel at the time of the attack, and two hotel staff.

Nicola Sturgeon wished all those who were injured a "full and speedy recovery".

Skip Twitter post by @NicolaSturgeon

Nicola Sturgeon

✔@NicolaSturgeon

My thoughts today remain with Constable Whyte - whose bravery we are all deeply grateful for - and the other people who sustained injuries in yesterday’s terrible incident. I wish them all a full and speedy recovery. https://twitter.com/policescotland/status/1276834465185226752 …

Police Scotland

✔@policescotland

Police Constable David Whyte, who was injured in the incident in West George Street, #Glasgow, on Friday 26 June, is now in a stable condition in the Queen Elizabeth University Hospital.

2,606

12:20 PM - Jun 27, 2020

Twitter Ads info and privacy

314 people are talking about this

Report

End of Twitter post by @NicolaSturgeon

Assistant Chief Constable Steve Johnson said the attack was not being treated as terrorism.