SALT LAKE CITY — The University of Utah was stung by cybercriminals for almost $500,000 in ransom following a July attack that gave the state’s flagship institution the choice of sacrificing private student and employee data, or paying up and hoping the information wasn’t compromised.
The incident follows a series of attacks this year on North American colleges and universities, some of which have led to nasty consequences for schools that have chosen to play hardball with cyberextortionists.
The U. reported that on July 19, computing servers in the College of Social and Behavioral Science experienced a “criminal ransomware attack, which rendered its servers temporarily inaccessible.” The school said it immediately isolated the servers from the rest of the institution’s computer network systems, notified appropriate law enforcement entities and deployed its Information Security Office which, according to a web posting, “investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks.”
That resolution included making a Bitcoin payment of $457,059 to the hackers who provided a code to unlock the data servers. The school said the payment was covered by its insurer and the school but stipulated that “no tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”
Cryptocurrencies like Bitcoin are commonly stipulated in hackers’ ransom demands since the digital transactions can be easily conducted in a manner that is essentially untraceable.
Corey Roach, the U.’s chief information officer, told the Deseret News that it was the first successful attack of its kind targeting U. digital assets. Roach said senior leaders on the school’s information technology team, along with input from an outside consultant and the U.’s insurer, were all involved in making the decision to pay the ransom.
No details have been provided about what student and faculty information may have been uncovered by hackers and the school said it was “still reviewing the incident to determine the nature of the data that was accessed.” Roach said that “while the attackers stole a small amount of data relative to the total number of files stored, there are still many documents to examine thoroughly.”
Subsequent to the attack — but some 10 days later — the school sent out a campuswide notice to faculty and students asking them to update the passwords used to access the school’s network.
The delay between the incident, and the call for updating passwords, was due to an investigation related to the attack, according to the U., as well as work to ensure that “password resets went smoothly in each campus entity.”
In its web posting on the incident, the university noted the incident “helped identify a specific weakness in a college, and that vulnerability has been fixed.”
This spring, Michigan State University, Columbia College Chicago and University of California, San Francisco and all experienced similar ransomware attacks over a two-week window.
While none of the institutions reported what they were asked to pay, a report by the Inside Higher Ed news site noted all three schools were targeted using malicious software known as NetWalker and given a deadline of six days to pay.
Michigan State University made the decision to ignore the ransom request and just days after the payment deadline passed, information stolen from the school’s physics and astronomy units was made available on the dark web, according to the report.
More recently, Canada’s Royal Military College in Ontario was targeted by cyberthieves in another suspected ransomware attack.
That school, operated by the Canadian federal government for future military officers, also declined to respond to ransom demands made in a July attack and, like Michigan State, saw stolen data show up on the dark web.
Brett Callow, a threat analyst with Emsisoft, an anti-malware and anti-virus company, told Global News that it was common for those running ransomware scams to attempt to compel payment by first releasing a small portion of stolen information.
“Groups typically start by publishing only a small amount of the data that was taken, which is the equivalent of a kidnapper sending a pinky finger,” Callow said. “Should the victim still not pay, the remaining data is released, usually in a series of installments.”
Roach said his school was not aware of any connections to other, similar ransomware attacks on colleges and universities and noted the U. incident was still under investigation by law enforcement. He said teams were actively monitoring sites where stolen data is typically offered for sale by cyberthieves to help ensure information that was on the compromised servers is not distributed.