University of Utah pays $457K ransom to prevent data disclosure

by Gabriel E. Hall - - 2020-08-22

The university managed to get their files back from backups but had to pay ransom to prevent sensitive data leak

University of Utah pays $457K ransom University of Utah pays $457K ransom to prevent student and staff data from being published online

The University of Utah has been a target of a major cyberattack. According to the announcement^[1] posted on its official website, the educational institution has been hit by ransomware, which affected Utah’s College of Social and Behavioral Science (CSBS) servers. Upon discovery of the incident, the compromised servers were immediately isolated from the internet and the rest of the university, although the data was already encrypted:

On Sunday, July 19, 2020, the university’s College of Social and Behavioral Science (CSBS) was notified by the university’s Information Security Office (ISO) of a ransomware attack on CSBS computing servers. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college.

While university officials managed to restore all the files from backups, it was forced to pay the ransom to prevent student and staff data from being published online. According to publication, cybercriminals asked for over $457K, which was paid by the university to prevent major information leak and potential personal safety compromise.

Ransomware gang accessed encrypted 0.02% of data stored on compromised servers

After breaking into the university's servers, malicious actors managed to download some personal/sensitive data that belong to the College of Social and Behavioral Science students, staff, and faculty members. As soon as the compromised servers were isolated and disconnected from the internet, the University of Utah immediately contacted the appropriate law authorities and began the investigation.

It turned out that central IT systems of the university remained untouched, and cybercriminals stole only 0.02% of the accessed server data. Since the academic establishment had access to fully functional backups, all the encrypted files were quickly restored. CSBS servers were also accessible soon after that.

While this would be an end to the story if the incident would have happened a year ago, cybercriminals are now employing additional extortion methods to make victims pay the ransom – they threaten to release the stolen information to the public, which has much larger scope implications than just data encryption. Thus, the University of Utah had to reconsider and proceed with the payment:

After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet.

The massive ransom of a total USD 457,059.24 was paid by the cyber insurance provider for university, while the remainder of the sum came out of the institution's budget. Despite this, tuition, donation, or taxpayer funds were used for the purpose.

The negative impact of ransomware attack is always high

Even though the University of Utah managed to keep the stolen information private, it still had to face major damages:^[2]

the attack prevented students and staff from accessing CSBS servers for a short period of time, preventing normal operations;
the university suffered major financial losses due to ransom payment;
the affected parties were prompted for a mandatory password change, which had to be carefully planned.

In response to the incident, the University of Utah stated that it made major investments into cybersecurity. The institution said that “Networks and IT infrastructure are monitored 24 hours a day, and the IT environment is continuously assessed to identify any vulnerabilities that need to be addressed.”

Ransomware attacks against institutions, businesses, and corporations were also a serious threat; it became much more destructive since late 2019 when Maze ransomware^[3] gang thought of a new extortion method by threatening to release the stolen data publicly.^[4] Since that time, many high-profile ransomware gangs adopted this scheme, as it makes victims pay the ransom, even if data backups are available.

It is yet unknown what the cybercriminal gang is responsible for the University of Utah ransomware attack. However, it is for sure not the first or the last attack against a major university. A month earlier, the University of York suffered a data breach after a third-party provider experienced a ransomware incident.^[5]

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ University of Utah update on data security incident. The University of Utah. Official announcement.
^ James R. Slaby. Understanding the true, hidden costs of ransomware attacks on the business. Acronis. Cybersecurity research and solutions.
^ Linas Kiguolis. Remove Maze ransomware (Virus Removal Instructions) - Aug 2020 update. 2-spyware. Cybersecurity news and articles.
^ Maze Ransomware operators threaten victims to publish their data online. Security Affairs. Cybercrime and hacking news.
^ University of York Investigating Data Theft Incident. InfoSecurity Magazine. Information Security & IT Security News.