Bloomberg has released details of a week-long negotiation between the University of California and the NetWalker ransomware.
The university’s medical school was working on a vaccine against Covid-19 this June when hackers shut down seven of their servers. Contrary to the advice of the FBI, the university took matters into its own hands and negotiated privately.
Using flattery, appealing for the hackers’ compassion and ethics, the university negotiator was able to cut the ransom amount from $ 6 million to just over $ 1 million in Bitcoin (BTC) and successfully restore the systems.
The negotiator immediately ensured that the infiltrating “operator” was on their side and demanded respect on both sides: “I am ready to work with you, but there has to be mutual respect. Don’t you agree?” Before waiting for an answer, they also appealed to the attacker’s pride:
“I read about you on the internet and I know that you are a very popular and professional ransomware group of hackers. I know that if we agree on the price, you will respect your word, right?”
This seems to work with the operator’s answer: “We focus 100% on respect and will never respect a customer who speaks to us with respect.”
The negotiation grew to the level of dedication on either side when the negotiator cried badly and discovered that all of the money had been used on the search and there was nothing left of it.
The operator’s response, called an obvious deception, that a school with annual sales exceeding $ 7 billion shouldn’t have a problem paying a few million:
“You have to understand that as a large university you can […] collect this money within two hours. You have to take us seriously.”
The university premiered at $ 780,000, and the operator ridiculed it too. “He saved $ 780,000 to buy McDonald’s for all of the employees. A very small amount for us,” he added, “I’m sorry.”
More time – for both sides
As is customary in cases of ransom demands, the negotiator then requested another two days for the “university committee that makes all decisions” to meet again. The operator has agreed on the condition that the ransom will double from USD 3 million to USD 6 million.
Moti Crystal, a Tel Aviv ransomware negotiator, told Bloomberg the extension could also be beneficial for attackers and gave them time to determine the value of their stolen data.
The Netwalker Group is a large criminal company and it rents its software on a franchise basis. The group announced a job posting in March of this year and added new subsidiaries to its network.
At this point, either out of desperation or as a psychological strategy, the negotiator began to appeal for the operator’s sympathy. They said, “I haven’t slept in two days trying to figure it out for you,” and they said, “It’s considered a failure by everyone here, and it’s all my fault that this happens.”
“The longer this takes, the more I hate myself […] I’m just asking you to be the only person in my life who treats me kindly. You are the only one in the world now who knows exactly what I am go through. ”
The operator apparently replied, “My friend, your team needs to understand that this is not your fault. Every device on the internet is vulnerable.”
Four days after the attack, the negotiator finally returned with an offer of over $ 1 million, saying he was breaking his internal rules to accept an additional donation of $ 120,000 as negotiations were over. They even added a time constraint:
“We can’t usually accept these donations, but we’re ready to get them working only if you agree to get it off quickly.”
The university organized the purchase of 116 Bitcoin ($ 1.14 million) for 36 hours and sent the money to the attackers. It took the hackers another two days to confirm the deletion of all sensitive data and regain access to the university.
After more than eight days without access, the university has successfully accessed all servers. However, the servers remained offline while they investigated the incident with the FBI and other cybersecurity advisors. In its last update on June 26, the university stated that the investigation is still ongoing.