Threat Management, Malware, Ransomware

UCSF, Conduent are latest to suffer the slings and arrows of ransomware

Academic health research institution the University of California, San Francisco and business process services company Conduent have emerged as two of the latest prominent victims of organized ransomware attacks.

UCSF was targeted by the NetWalker (aka MailTo) ransomware group, as evidenced by a post on the cyber gang's data leak website, while it was the Maze group that claimed Conduent as a victim online.

Both of these ransomware operators not only encrypt their targets' files, but also publish stolen files on a piecemeal basis unless and until the victim pays up. A reliable source sent SC Media an image from both NetWalker's and Maze's postings.

Both UCSF and Conduent acknowledged their respective incidents, sharing limited details.

"On June 1, 2020, our internal monitoring controls discovered an illegal intrusion into a specific area of our IT environment, and we took prompt action to address it," said UCSF in a statement. "We believe our actions isolated the intrusion to the area that was targeted. Our patient care delivery operations have not been affected by the incident."

According to a Bloomberg report, UCSF has been conducting coronavirus antibody testing and clinical trials of potential COVID-19 treatments.

UCSF says it's working with an IT security expert and reaching out to law enforcement to investigate the event and what information was compromised.

This is not the first time NetWalker ransomware has targeted the health care industry. In March, just before COVID-19 was declared a pandemic, the same ransomware hit the Champaign-Urbana Public Health District, taking down its website and the staff’s ability to access records.

Meanwhile, Sean Collins, director of external communications at $4.47 billion company Conduent, said the company's European operations experienced a service disruption on May 29.

“Our system identified ransomware, which was then addressed by our cybersecurity protocols," said Collins. "This interruption began at 12.45 a.m. CET on May 29 with systems mostly back in production again by 10.00 a.m. CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have ongoing internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.