Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
University of Utah Pays Ransom to Avoid Data DisclosureCyber Insurance Covered a Portion of the $457,000 Expense
The University of Utah paid a $457,000 ransom to stop a hacker from disclosing data stolen in a July ransomware attack on the network of its College of Social and Behavioral Science.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university said in a statement. “This was done as a proactive and preventive step to ensure information was not released on the internet.”
A cyber insurance policy paid a portion of the ransom, and the university covered the remainder, officials say.
Corey Roach, the university’s CISO, tells Information Security Media Group that the school also received a decryption key after paying the ransom. "However, it was not a primary consideration in paying the ransom. We were able to recover almost everything from backups, but it is useful to have the ability to decrypt and recover files created after the last backup.”
The Ransomware Attack
The College of Social and Behavioral Science’s network was hit with ransomware on July 19, knocking its servers offline, university officials say. The affected portion of the network was immediately isolated from the broader university network to limit damage, and law enforcement officials were notified.
"Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college,” the university notes in its statement. “It was determined that approximately .02% of the data on the servers was affected by the attack. This data included employee and student information."
The nature of the data affected by the attack is still being investigated, the university says, and it will notify those affected.
The school waited until July 29 to have students, staff and faculty change their passwords. The delay allowed the university’s investigators time to determine what was stolen and how access was gained and to coordinate their efforts with law enforcement, the statement notes.
"After a thorough review of the facts, all students, faculty and staff were directed to change their passwords. Because of the size and scope of such a request, preparations had to be made to ensure that password resets went smoothly in each campus entity," the university states.
The attack has helped the school to identify weaknesses in its cybersecurity defenses, and it’s making additional investments and changing procedures to better protect its data, officials say.
"The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment,” according to the statement. “The university is also unifying the campus to one central Active Directory and moving college networks into the centrally managed university network."
In recent months, several ransomware gangs, including Maze, DoppelPaymer and Sodinokibi, have frequently been using the tactic of threatening to release data stolen during a ransomware attack.
Because more organizations are now better prepared to recover from a ransomware attack by using backups to regain access to data that was encrypted, attackers are also exfiltrating data and threatening to leak it if a ransom is not paid (see: City Pays Ransom Despite Pre-Ransomware Outbreak Hack Alert).