University of Utah pays $457,000 to ransomware gang

On Sunday, July 19, 2020, computing servers in the University of Utah’s College of Social and Behavioral Science (CSBS) experienced a criminal ransomware attack, which rendered its servers temporarily inaccessible. The university notified appropriate law enforcement entities, and the university’s Information Security Office (ISO) investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks.

It was determined that approximately .02% of the data on the servers was affected by the attack. This data included employee and student information. The ISO assisted the college in restoring locally managed IT services and systems from backup copies. No central university IT systems were compromised by the attack on the college.

As a precautionary measure, on July 29, 2020, students, staff and faculty were directed to change their university passwords. Because the CSBS servers hosted data and IT services for itself and a small group of colleges, departments and administrative units, asking users to update their passwords was a prudent response.

Summary and timeline of events:

On Sunday, July 19, 2020, the university’s College of Social and Behavioral Science (CSBS) was notified by the university’s Information Security Office (ISO) of a ransomware attack on CSBS computing servers. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college.

What steps were taken once the attack was identified?

CSBS servers were immediately isolated from the rest of the university and the internet. The university notified appropriate law enforcement entities, and the ISO began actively investigating the matter. An outside consultant with expertise in handling these types of situations was also engaged to support the investigation.

What is ransomware?

Ransomware is a form of attack in which, after gaining access to a system, the attacker encrypts a victim’s files then demands a ransom to restore access to the data. More recently, attackers have also begun to steal sensitive data before encrypting it, then threatening to release the data on the internet if the ransom is not paid.

Why wasn’t the campus community instructed to change their passwords sooner?

In any data security incident, there must be a full understanding of what information may have been stolen and how access was gained. It is also critical to work with law enforcement to determine what steps need to be taken legally, if any. After a thorough review of the facts, all students, faculty and staff were directed to change their passwords. Because of the size and scope of such a request, preparations had to be made to ensure that password resets went smoothly in each campus entity.

How was this situation resolved?

After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet.

How much ransom was paid by the university?

$457,059.24 USD at the time of the transaction.

What funds were used to pay the ransom?

The university’s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.

What is the nature of the information that might have been accessed?

The data contained student and employee information. The university is still reviewing the incident to determine the nature of the data that was accessed. This notice will be updated when more information is available.

Is there anything students, faculty and staff need to do?

Continue to use strong passwords, change them at regular intervals and use two-factor authentication. This is the best way to prevent security incidents in a large, complex organization like the University of Utah. There are no other steps members of the university community need to take.

Is CSBS back online?

Yes. CSBS servers were cleaned, and college data was reinstalled from system backups.

Is the University of Utah vulnerable to additional ransomware attacks? 

The university has made substantial investments in technology to monitor and protect the university community against attacks, including ransomware threats. Networks and IT infrastructure are monitored 24 hours a day, and the IT environment is continuously assessed to identify any vulnerabilities that need to be addressed.

Despite these processes, the university still has vulnerabilities because of its decentralized nature and complex computing needs. This incident helped identify a specific weakness in a college, and that vulnerability has been fixed. The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment. The university is also unifying the campus to one central Active Directory and moving college networks into the centrally managed university network. These steps, in addition to individuals using strong passwords and two-factor authentication, are expected to reduce the likelihood of an incident like this occurring again.