The University of Utah said it has paid a ransomware crew nearly a half million dollars to prevent the cyber gang from publicly revealing sensitive student data heisted in the break-in.
On July 19, 2020, hackers infiltrated the University’s College of Social and Behavioral Science (CSBS), encrypted a small amount (.02%) of confidential student and employee information stored on its servers and demanded roughly $457,000 not to release the information online, the school said in a statement. Data stored on the CSBS servers can no longer be accessed but IT staffers were able to recoup the information from backups, the school said. No central servers were affected in the incident.
“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university said. “This was done as a proactive and preventive step to ensure information was not released on the internet.” No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.
Officials said the infected servers were “immediately isolated” from the rest of the university and taken offline. Local law enforcement is on the case and the university’s Information Security Office is investigating the attack, officials said. In addition, an “outside consultant,” presumably a managed security service provider, “with expertise in handling these types of situations” is supporting the investigation.
In the wake of the attack, officials directed students and faculty to immediately change their passwords, do so at “regular intervals,” and use two-factor authentication, calling it “the best way to prevent security incidents in a large, complex organization like the University of Utah.”
Some security providers have advised against meeting ransom demands of cyber extortionists, mainly because doing so doesn’t guarantee all of the victim’s data will be returned. “When it comes to the question of paying a ransom, our recommendation is to never pay a ransom, and there are a few reasons for this,” said Kaspersky principal researcher Brian Bartholomew, following a survey the security specialist conducted. “There is also no way to tell if your information has been sold in underground markets once obtained,” he said. “Paying a ransom only encourages cyber criminals to further carry out these attacks as they are one of the most financially profitable attacks malefactors can perform.”
Still, schools remain a lucrative target for ransomware thieves, fueled by successful attacks in which education institutions have paid up to recover their data. In the most recent incident earlier this month, the Athens Independent School District (ISD) in Texas coughed up $50,000 to restore its data. A year ago, the The Rockville Centre school district in Long Island, NY paid almost $100,000 to restore its data after being hacked with a ransomware virus that encrypted files on the school district’s server.
