The University of Utah has released a notice updating its community of faculty and students on a major ransomware incident. According to the notice, released Aug. 20, the University of Utah’s College of Social and Behavioral Science (CSBS) “experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible.” This incident took place on July 19 and caused roughly .02 percent of the data on the servers to be compromised. This data included personal data on faculty and members of the student body. The notice states that a vulnerability was to blame for the ransomware infecting the servers.
On July 29 — 10 days after the ransomware attack — the University of Utah sent out a campus-wide notice to all members of the community, instructing them to change their passwords. The University of Utah stated that the order to change passwords came so late due to law enforcement’s suggestions during the investigation, namely that “preparations had to be made to ensure that password resets went smoothly in each campus entity.”
The notice did not reveal who was responsible for the ransomware attack, but the University of Utah admitted it paid the ransom to the tune of $457,059.24. The money came from a cyber insurance policy. No other funds, such as tuition, were used to pay for the ransom, the University said.
In a statement to Threatpost’s Lindsey O’ Donnell, a University of Utah spokesman stated that they received the ransomware decryption key upon payment. They also had this to say about paying the ransom:
However, it [the decryption key] was not a primary consideration in paying the ransom... We were able to recover almost everything from backups, but it is useful to have the ability to decrypt and recover files created after the last backup... We continue to parse the information that was stolen, and we will update the [press release] with the findings of the analysis once it is completed... While the attackers stole a small amount of data relative to the total number of files stored, there are still many documents to examine thoroughly.
The official position of most security professionals is that paying the ransom during a ransomware incident is the wrong move. What’s done is done in this case, but all the University of Utah has done is likely to encourage its attackers to strike again. There is no guarantee that they, whoever it was behind the attack, will not come back for seconds. Additionally, there is never a guarantee that attackers will hand over the decryption key once paid.
Ransomware is here to stay, so it is vital that organizations around the world move to a unified, effective strategy to counter the inevitable attacks. Universities, in particular, are experiencing an uptick in ransomware attacks. As such, they should implement the strategies soon.
Featured image: Wikimedia/Ricardo630