Administrators at the University of Utah announced Thursday that after suffering a ransomware attack in July, they paid their attackers $457,000 to delete sensitive student and teacher data that had been stolen from school servers.
A statement posted on the university’s website explains that on July 19, the university’s information security office detected the attack on servers at its College of Social and Behavioral Science. Though they determined that only 0.02% of the data from those servers had been affected and that the encrypted data was able to be restored from backups, the attackers demonstrated to the university that they had in fact stolen proprietary data and would publish it if not paid.
“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university’s statement read. “This was done as a proactive and preventive step to ensure information was not released on the internet. … The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”
Based in Salt Lake City, the University of Utah enrolls about 32,000 students and employs more than 12,000 faculty and staff. In addition to “immediately isolating” the affected servers from the rest of the university and the internet, the school’s response included a July 29 directive for all faculty, staff and students to change their passwords.
The data affected by the attack included “student and employee information,” but the university said it’s still reviewing the incident to figure out precisely which data was accessed.
The university did not disclose the ransomware group responsible for the attack, but Brett Callow, an analyst at the cybersecurity firm Emsisoft told ZDNet that he believes the responsible group is NetWalker, the same group behind ransomware attacks against other higher education institutions, including Michigan State University, Columbia College Chicago and the University of California, San Francisco. UC San Francisco paid a ransom of $1.14 million after negotiating the price down from $3 million.
When responding to its attack, the University of Utah said it consulted with an external cybersecurity expert and law enforcement, two groups that both generally recommend against paying ransoms.
The university’s statement concluded by explaining that although it’s made “substantial investments in technology to monitor and protect the university community against attacks, including ransomware threats,” it still has vulnerabilities because of the institution’s “decentralized nature and complex computing needs.”
“The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment,” the statement read. “The university is also unifying the campus to one central Active Directory and moving college networks into the centrally managed university network. These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again.”