In brief

  • The University of California San Fransisco paid over $1 million in ransomware to hackers on June 12, 2020.
  • New research suggests there may have been a second payment made a day earlier.
  • If true, the total payment made by UCSF would be $1.8 million.

Researchers at keyless wallet provider ZenGo suspect the University of California San Francisco made not one, but two ransom payments to The Netwalker hacker group earlier this year.  

As reported by Decrypt, transcripts showed that a payment of $1.14 million was made in Bitcoin on June 12, 2020. But having looked at the transaction on the blockchain, ZenGo’s researchers noticed that a second, very similar transaction was made around the same time, worth $700,000—and it was likely a further ransom payment.

“The previously unknown payment was chronologically the first. Media missed it as they just relied on the leaked correspondence between attackers and negotiators, and did not use Bitcoin analytics,” Tal Be’ery, co-founder at ZenGo told Decrypt.

We have reached out to UCSF and will update this article if we hear back.

How did they find the payment?

The researchers at ZenGo tracked down the original payment on the Bitcoin blockchain; as a very large transaction, it was hard to miss. They knew the paid ransom sum was 116.4 BTC and they also knew the payment date of June 12, 2020. Using this information, the researchers queried the Bitcoin blockchain for reported transactions fitting the description until they found the correct data.

During the investigation, the researchers discovered a similar payment made 19 hours before the reported UCSF payment. The money trail was very similar, with the funds originating from the same Binance address, and going to the same Netwalker affiliate. 

This payment may have been unrelated, but Be’ery was told it was more likely to be related to the original ransomware attack. “Ransomware negotiators I talked to said they often try to pay in a tranched manner in return to some “milestones” (.e.g. Data about how attackers were able to penetrate the network) to build rapport between the parties,” Be’ery said.

“Additionally, the alternative explanation, that connects the first payment to another unrelated ransomware incident by the same Netwalker affiliate happening in parallel, is unlikely,” Be’ery added in a blog post.

Another lesson learned here is how much information can be found on the blockchain. “Our story makes a point that is bigger than the specific case itself. It shows that Bitcoin blockchain research can reveal vital information on ransomware incidents,” Be’ery said.

It’s no wonder that blockchain analytics services are becoming increasingly more valuable.