Academic health research institution the University of California, San Francisco and business process services company Conduent have emerged as two of the latest prominent victims of organized ransomware attacks.

UCSF was targeted by the NetWalker (aka MailTo) ransomware group, as evidenced by a post on the cyber gang’s data leak website, while it was the Maze group that claimed Conduent as a victim online.

Both of these ransomware operators not only encrypt their targets’ files, but also publish stolen files on a piecemeal basis unless and until the victim pays up. A reliable source sent SC Media an image from both NetWalker’s and Maze’s postings.

Both UCSF and Conduent acknowledged their respective incidents, sharing limited details.

“On June 1, 2020, our internal monitoring controls discovered an illegal intrusion into a specific area of our IT environment, and we took prompt action to address it,” said UCSF in a statement. “We believe our actions isolated the intrusion to the area that was targeted. Our patient care delivery operations have not been affected by the incident.”

According to a Bloomberg report, UCSF has been conducting coronavirus antibody testing and clinical trials of potential COVID-19 treatments.

UCSF says it’s working with an IT security expert and reaching out to law enforcement to investigate the event and what information was compromised.

This is not the first time NetWalker ransomware has targeted the health care industry. In March, just before COVID-19 was declared a pandemic, the same ransomware hit the Champaign-Urbana Public Health District, taking down its website and the staff’s ability to access records.

Meanwhile, Sean Collins, director of external communications at $4.47 billion company Conduent, said the company’s European operations experienced a service disruption on May 29.

“Our system identified ransomware, which was then addressed by our cybersecurity protocols,” said Collins. “This interruption began at 12.45 a.m. CET on May 29 with systems mostly back in production again by 10.00 a.m. CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have ongoing internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”