author photo
By Bruce Sussman
Fri | Aug 21, 2020 | 4:30 AM PDT

The University of Utah is starting its fall semester with a great deal of disruption.

There is COVID-19 testing and tracing, new human traffic flow patterns to avoid student bottlenecks getting into buildings, and mandatory limits on how many students can be in a single facility like the library.

Now, you can add a ransomware attack to the list of disruptions the university is juggling.

And this disruption was enough, the university says, to justify paying hackers nearly half a million dollars in digital ransom.

Details of the University of Utah ransomware attack

The university just shared what happened, and when, regarding the cyberattack. 

We know the attack started on July 19, 2020, after hackers accessed a sliver of the university's network:

"....computing servers in the University of Utah's College of Social and Behavioral Science (CSBS) experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible.

It was determined that approximately .02% of the data on the servers was affected by the attack. This data included employee and student information. The ISO assisted the college in restoring locally managed IT services and systems from backup copies. No central university IT systems were compromised by the attack on the college."

The university had its servers encrypted but restored the systems and access from backups. But it still decided to pay a ransom demand. Why?

Why did the University of Utah pay a ransom in its cyberattack?

Hackers and cybercriminals have evolved the way they use ransomware in cyberattacks. 

Once organizations became more disciplined at making and securing system backups, it became easier for them to say "no" to paying a ransom demand.

Why pay if you have restored access to your encrypted system, the way the University of Utah was able to do? Hackers adapted their tactics.

Starting in 2020, new strains of ransomware rapidly emerged that first exfiltrates (or steals) data, then encyrpts the data on the victim's servers. Ransomware operators then threaten to publicly publish the information stolen from the victim.

In the case of the University of Utah, that included student and employee data. Hackers held it over the university's head and the trick worked. The end result was a hefty payment:

"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet."

The University made the payment in cryptocurrency, through a third-party firm. It says the payment was worth $457,059.24 USD at the time of the transaction.

Where did the University of Utah come up with the ransom money?

It's no secret that many universities are taking a huge financial hit because of COVID-19 changes.

So where would the University of Utah come up with so much ransom money? It had cyber insurance: 

"The university's cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom."

Insurers often find it is cost effective to pay money to cybercriminals if they destroy the stolen data. If the data is published, the university and its insurers could face years of privacy and security related lawsuits along with greater reputational harm.

This University of Utah scenario is also why cyber insurance is a critical tool in incident response, according to attorney Shawn Tuma:

"In my experience—and I've been in cyber law for 20 plus years now, dealing with various forms of cyber issues, serving in the incident response capacity, which is where most of my work is right now—there are two things that I have found to be absolutely critical to the resilience of a company when they get hit, so how well they can handle and respond to those hits. And number one is cyber insurance. Cyber insurance is what pays for you to do what you need to do to have a proper response."

Tuma also says cyber risk in general, and ransomware specifically, may be the greatest business risk an organization can face. 

Why is higher education a hot target for ransomware operators?

SecureWorld News has covered a number of higher education ransomware attacks this year, including a ransom payment by Cal State University

In its comments about the ransomware attack, the University of Utah explains why it remains vulnerable to ransomware attacks, despite all of the cybersecurity protections it has in place:

"Networks and IT infrastructure are monitored 24 hours a day, and the IT environment is continuously assessed to identify any vulnerabilities that need to be addressed.

Despite these processes, the university still has vulnerabilities because of its decentralized nature and complex computing needs. This incident helped identify a specific weakness in a college, and that vulnerability has been fixed. "

Many universities and colleges are set up in a similar fashion, which complicates the picture for achieving the best possible cybersecurity. As the saying goes, complexity is the enemy of security.

The University of Utah says that it is on a journey to simplify its network, especially where critical assets are concerned:

"The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment. The university is also unifying the campus to one central Active Directory and moving college networks into the centrally managed university network.

These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again."

Unfortunately, this incident will likely happen again at a different educational institution, as ransomware operators move on to their next profitable target.

Comments