The details of a week-long negotiation between the University of California and a group of NetWalker hackers have been revealed by Bloomberg.
The university’s medical school was working on a vaccine for Covid-19 in June of this year when seven of its servers were disabled by the hackers. Despite the advice of the FBI, the university took matters into its own hands and conducted private negotiations.
The university’s negotiator used flattery, appealed to the hackers‘ sense of sympathy and ethics, and managed to reduce the ransom money from $6 million to just over $1 million at Bitcoin (BTC) and successfully restored the systems.
Did Jack Daniels thwart a ransomware attack or not?
From the beginning, the negotiator made sure to have the hacker ‚operator‘ on his side, asking for respect from both sides, „I’m willing to settle this with you, but there has to be mutual respect. Do you agree?“. Before waiting for a response, they also appealed to the attacker’s pride:
„I read about you on the Internet and I know you’re a famous group of hackers and very professional. I expect you to keep your word when we agree on a price, okay?“
This seemed to work with the operator’s response: „We are 100% respectful, and we will never disrespect a customer who speaks to us with respect.“
The negotiations reached a point where each side was very dedicated, and the negotiator complained that all the funds had been invested in the research and that none were available.
Realizing the obvious deception, the operator responded that a school that collects over $7 billion in annual revenue should have no problem paying a few million:
„You have to understand that, as a great university […] you can raise that money in a couple of hours. You need to take us seriously.“
The university’s first offer was for $780,000 and was also rejected by the operator. „Save that $780k to buy McDonald’s for all the employees. It’s a very small amount for us,“ and he added, „I’m sorry.
This ransomware has its own affiliate program
More time… for both sides
As is typical in rescue negotiations, the negotiator asked for two more days to allow „the university committee that makes all the decisions“ to meet again. The operator agreed to the condition that the $3 million ransom be doubled to $6 million.
A Tel Aviv negotiator, Moty Cristal, told Bloomberg that the extension could have been useful to the attackers as well, giving them time to identify the value of their stolen data.
The Netwalker group is a large-scale criminal enterprise and rents its software through a franchise-style program. The group published a recruitment announcement in March of this year, adding new affiliates to its network.
More and more staff
At this point, either out of desperation or as a psychological strategy, the negotiator began to appeal to the operator’s compassion. „I haven’t slept in a couple of days because I’m trying to solve this for you,“ he was told, „I’m being seen as a failure by everyone here and it’s my fault this is happening.
„The more time goes by, the more I hate myself […] All I ask is that you be the only one in my life right now who treats me right. You’re the only one who knows exactly what I’m going through.
The operator seemed to respond: „My friend, your team must understand that this is not your failure. All Internet devices are vulnerable.“
Unfortunately, ransomware attacks requiring crypto currency are here to stay
Four days after the attack, the negotiator returned with an offer of more than $1 million, saying they were bending their internal rules to accept an additional $120,000 donation, arguing that the negotiations would end. They even added the pressure of time:
„Normally we can’t accept these donations, but we’re willing to make it work only if you agree to end this quickly.“
The university spent 36 hours organizing the purchase of 116 Bitcoin Up ($1.14 million) and sending the funds to the attackers. It took two more days for the hackers to confirm the deletion of all important data and return access to the university.
After more than eight days without access, the university successfully gained full access to all its servers. However, the servers remained offline while they investigated the incident with the FBI and other cyber security consultants