Utes gotta be kidding me... University of Utah handed $457K to ransomware creeps

'After careful consideration' uni decided to pay up using its insurance policy

20 Reg comments Got Tips?

The University of Utah has admitted to handing over a six-figure pile of cash to scumbags to undo a ransomware infection during which student and staff information was stolen by hackers.

The American school that gave the world science fiction author Orson Scott Card, ballistic missile designer Simon Ramo, and NBA player Keith Van Horn says that last month it paid crooks $457,059.24 to reverse an attack on the network of its College of Social and Behavioral Science.

While there wasn't much data stolen in the July 19 attack (the school estimates that around .02 per cent of its info was actually taken and encrypted) what was accessed was sensitive enough that the school opted not to risk having it get out.

"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker," University of Utah says.

"This was done as a proactive and preventive step to ensure information was not released on the internet. The data contained student and employee information"

At least the school came clean about the whole incident and told people what was going on. We've recently seen what happens when you try to cover up these sort of things.

ransomware

'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'

READ MORE

It used to be that paying ransomware demands was a non-starter for companies and institutions, as the common wisdom was that it would only encourage criminals and might not even result in the recovery of your data.

That idea, however, has gone by the wayside as ransomware crooks figured out that there was more money to be had by posting the pilfered data online for all to see rather than just locking it up and asking for Bitcoin.

Crews like Maze have made a habit of asking for hush money, then posting their ransomware data when companies don't pay up. As a result, the idea of meeting the demands of attackers is not as far-fetched as it used to be, with the FBI even providing guidance to companies that want to pay for their data.

That said, it is recommended that any payments are done with the guidance of a security expert who is familiar with the ransomware group and can make sure you actually get your data back once the payment is made.

University of Utah says that none of the money it handed over to the criminals came from the student tuition, grants, or state taxpayer funds it takes in. Rather, a portion came out of a "cyber insurance" policy it keeps and the remainder was from the school's private accounts.

In addition to paying out nearly a half-million dollars, the school is asking students and faculty to change their passwords as a precautionary measure, and it says it will look to beef up its network security. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020