In June, UCSF had paid $1.14m in bitcoin ( 116.4 bitcoin ) to recover encrypted files from ransomware attackers. However, according to news the University did not apply data protection to the affected system files.
According to an announcement by Sysanna Chau of its Data Centre Services unit that UCSF changed its data protection from Commvault to Rubrik in August 2019.
Chau said at the time that Rubrik’s Atlas file system is stable and not accessible over the network, preventing ransomware attacks from getting to it.
On June 1, a limited number of servers within the School of Medicine were encrypted by ransomware attackers.
Blocks & Files understands at the time of attack the Rubrik solution was not in place on the servers. It is not known if the university did other changes in place; if it did, this clearly failed.
By quarantining the compromised servers, UCSF was able to limit the NetWalker ransomware attack. At the time, the University told the criminal targeting of those specific systems as opportunistic.
Clearly, the data was important for the School of Medicine, so USCF soon began negotiations with the criminals. Initially they were demanding for $3m, but after haggling them down from initial demand, the UCSF IT crew received a decryption key and recovered the files towards the end of June.
According to a statement from UCSF on June 26, “the data that was encrypted is important to some of the academic work. So, we made a difficult decision to pay some amount of the ransom. We decide to pay $1.14m to the attackers behind the malware attack in exchange for a tool to unlock the encrypted data.
By paying the ransom, UCSF confirmed that its data protection arrangements for these servers were inadequate. Neither UCSF nor Rubrik would provide official statements about data protection and we also don’t know what, if the data protection measures were in place for the affected servers.
After talking to sources close to the situation we can say that the encrypted files system was not protected by the Rubrik software.