SALT LAKE CITY – The University of Utah was stabbed by cybercriminals for nearly $ 500,000 in ransom after an attack in July that allowed the state’s flagship agency to steal data from students and staff, rather than pay and hope that the information was not compromised.
The incident follows a series of attacks this year on North American colleges and universities, some of which have led to nasty consequences for schools that have chosen to play hardball with cyber-extortionists.
The U. reported that on July 19, computer servers in the College of Social and Behavioral Sciences experienced a “criminal ransomware attack, which made their servers temporarily inaccessible.” The school said it immediately isolated the servers from the rest of the institution’s computer network systems, notified law enforcement agencies and used its Information Security Office, which, according to a webmail, “investigated and resolved the incident in consultation with an external company that specializes in responding to ransomware attacks. ”
That resolution included making a $ 457,059 Bitcoin payment to the hackers who provided a code to unlock the data servers. The school said the payment was insured by its insurer and the school, but stated that “no lessons, subsidy, donation, state or taxpayer were found to pay the ransom.”
Cryptocurrencies such as Bitcoin are often backed by the demands of the loose hackers, because the digital transactions can be easily executed in a way that is essentially untraceable.
Corey Roach, the chief information officer of the U., told the Deseret News that it was the first successful attack of its kind aimed at U. digital possessions. Roach said senior leaders in the school of information technology, along with input from an outside consultant and the U.S. insurer, were all involved in making the decision to pay the ransom.
There are no details given as to what information about students and faculties could be discovered by hackers and the school said it “was still investigating the incident to determine the nature of the data that was accessed.” Roach said that “although the attackers stole a small amount of data relative to the total number of files stored, there are still many documents to thoroughly investigate.”
After the attack – but some 10 days later – the school sent a campus-wide message to faculties and students asking them to update the passwords used to access the school’s network.
The delay between the incident, and the call to update passwords, according to the U., was due to an investigation into the attack, as well as work to ensure that “password resets went smoothly in each campus.”
In its webpost on the incident, the university noted the incident “helped identify a specific weakness in a college, and that the vulnerability has been identified.”
This spring, Michigan State University, Columbia College Chicago and the University of California, San Francisco all experienced similar ransomware attacks over a two-week window.
While none of the institutions reported what they were asked to pay, a report from the news website Inside Higher Ed found that all three schools were targeted using malicious software, known as NetWalker, and were given a six-day deadline to pay.
Michigan State University made the decision to deny the request for dismissal and just days after the expiration of the payment date, information stolen from the school’s physics and astronomy units was made available on the dark web, according to the report.
More recently, Canada’s Royal Military College in Ontario was targeted by cyber thieves in another suspected ransomware attack.
That school, operated by the Canadian federal government for future military officers, also refused to respond to demands for loose items that were set in an attack in July and, like Michigan State, showed stealing data on the dark web.
Brett Callow, a threat analyst with Emsisoft, an anti-malware and anti-virus company, told Global News that it was common for those running ransomware scams to try to force payment by first releasing a small amount of stolen information to let.
“Groups typically start by publishing only a small amount of the data that is taken, which is the equivalent of a kidnapper sending a pinky finger,” Callow said. “If the victim has not yet paid, the remaining data will be released, usually in a series of installations.”
Roach said his school was unaware of links to other, similar ransomware attacks on colleges and universities, noting that the U.S. incident was still being investigated by law enforcement. He said teams are actively monitoring where stolen data is typically offered for sale by cyber thieves to ensure that information stored on the compromised servers is not spread.
