A leading medical-research institution working on a cure for Covid-19 has admitted it paid hackers a $1.14m (£910,000) ransom after a covert negotiation.
The Netwalker criminal gang attacked the University of California San Francisco (UCSF) on 1 June.
IT staff unplugged computers in a race to stop the malware spreading.
And an anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web.
Cyber-security experts say these sorts of negotiations are now happening all over the world - sometimes for even larger sums - against the advice of law-enforcement agencies, including the FBI, Europol, and the UK's National Cyber Security Centre.
Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months.
UCSF is now assisting the FBI with its investigations while working to restore all affected systems.
It told BBC News: "The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.
"We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.
"It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate."
But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: "Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.
"Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise."
Brett Callow, a threat analyst at cyber-security company Emsisoft, said: "Organisations in this situation are without a good option.
"Even if they pay the demand, they'll simply receive a pinky-promise that the stolen data will be deleted.
"But why would a ruthless criminal enterprise delete data that it may be able to further monetize at a later date?"
Most ransomware attacks begin with a booby-trapped email and research suggests criminal gangs are increasingly using tools that can gain access to systems via a single download. In the first week of this month alone, Proofpoint's cyber-security analysts say they saw more than one million emails using a variety of phishing lures, including fake Covid-19 test results, sent to organizations in the US, France, Germany, Greece, and Italy.
Organizations are encouraged to regularly back-up their data offline.
But Proofpoint's Ryan Kalember said: "Universities can be challenging environments to secure for IT administrators.
"The constantly changing student population, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack."
