University of Utah Pays $457K After Ransomware Attack

university of Utah

The university said that it paid $457,000 to retrieve a decryption key after a ransomware attack encrypted student and faculty data on its servers.

The University of Utah coughed up a $457,000 ransom payment after a ransomware attack hit the university’s servers, impacting undisclosed student and faculty related data.

The Salt Lake City school, which has 24,485 undergraduate students and 8,333 graduate students enrolled, as well as 1,592 faculty members, was hit by the cyberattack on July 19. The university’s computing servers for its College of Social and Behavioral Science Unit were targeted and rendered temporarily inaccessible.

The university sought to downplay the attack’s impact, stressing that no central university IT systems were compromised, and that only .02 percent of the data on the compromised servers was affected by the attack. The university said that affected data included employee and student information, but has not yet clarified the kind data that is. The university did say that it asked students, faculty and staff to change their university passwords after the attack.

“The university notified appropriate law enforcement entities, and the university’s Information Security Office (ISO) investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks,” according to the University of Utah in a Thursday statement. “The ISO assisted the college in restoring locally managed IT services and systems from backup copies. No central university IT systems were compromised by the attack on the college.”

The affected servers have since been isolated from the rest of the university and the internet, and law enforcement and an outside consultant are currently investigating. The university also did not specify how ransomware actors were able to access its servers in the first place, other than to say: “This incident helped identify a specific weakness in a college, and that vulnerability has been fixed.”

“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” it said. “This was done as a proactive and preventive step to ensure information was not released on the internet.”

A university spokesperson told Threatpost that they have since received the decryption key.

“However, it was not a primary consideration in paying the ransom,” the spokesperson said. “We were able to recover almost everything from backups, but it is useful to have the ability to decrypt and recover files created after the last backup.”

While the cyber insurance policy paid part of the ransom, the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom, the school said.

The University of Utah is the latest in a string of higher education institutions that have been hit by ransomware – and many have ended up paying the ransom. The University of California, San Francisco (UCSF) paid up a $1.14 million ransom to recover data related to “important” academic work. The data was encrypted after the NetWalker ransomware reportedly hit the UCSF medical school.

The act of paying the ransom after a ransomware attack has long drawn criticism by security experts, who say that the payouts fund future malicious activities by cybercriminals and gives them more incentive to launch further attacks. Experts say, paying the ransom also can inspire other cybercriminals to launch similar attacks in hopes of making money. Some states, like New York, have even considered potentially banning municipalities from paying ransomware demands.

Cyber insurance policies, like the one utilized by the University of Utah, is also changing the ransomware game, and has drawn concerns about how it will change the overall security landscape. For instance, some have wondered if companies could slack on proactive security measures if they have a fallback buffer of cyber-insurance.

When Lake City, Fla. was hit by ransomware, for instance, the city ended up paying and the incident was covered in part by their cyber-insurance provider. After it was hit by ransomware, aluminum giant Norsk Hydro last year received only $3.6 million in cyber-insurance – just a fraction of the total costs in damage.

Regardless, as the COVID-19 pandemic continues to shape the face of cybercrime in 2020, researchers also warn that ransomware attacks are seeing sharp increases in the U.S. for the first half of the year.

“Unfortunately, organizations are still threatened by ransomware attacks due lack of defense in-depth,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “We see regular incidences of organizations being taken down by ransomware, particularly using targeted attacks using phishing as the vector of attack.”

The university for its part said that students and faculty should continue to use strong passwords, change them at regular intervals and use two-factor authentication.

“We continue to parse the information that was stolen, and we will update the [press release] with the findings of the analysis once it is completed,” the spokesperson told Threatpost. “While the attackers stole a small amount of data relative to the total number of files stored, there are still many documents to examine thoroughly.”

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.

Suggested articles