Hackers net half a million in University of Utah ransomware attack

The University of Utah paid a ransomware gang nearly half a million dollars to avoid having its data encrypted—and leaked. The university has become the latest victim in a recent string of ransomware attacks aimed at higher education. 

In a statement posted on its website Thursday, the university revealed that it was the target of a ransomware attack on July 19. The hackers managed to encrypt only 0.02% of the data stored on its servers, the university said. 

The university did not specify whether it paid the funds in cash or crypto—and it has not responded to a request for comment from Decrypt—but one cybersecurity expert believes the hackers likely demanded Bitcoin.  

The hackers zeroed in on the university’s College of Social and Behavioral Science servers, where student and employee data is stored. After the crooks threatened to leak the stolen data online, the university decided to fork over $457,059.

"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” the university said. 

The university added that its cyber-insurance policy covered part of the ransom. “No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”

The likely culprit? NetWalker

Brett Callow, a threat analyst at cyber-security firm Emsisoft, told Decrypt that the operators of NetWalker ransomware were likely behind the attack. 

The group has targeted a number of educational establishments in recent weeks, including Columbia College Chicago, Michigan State University, and the City University of Seattle. Another victim, the University of California at San Francisco, ended up paying $1.14 million to the hackers after a week of negotiation earlier this month.

NetWalker has done well for itself, pulling in over $25 million from ransomware payments since March, according to McAfee, who recently published an extensive report on NetWalker’s activities. 

McAfee researchers said they “discovered a large sum of bitcoins linked to NetWalker which suggest its extortion efforts are effective and that many victims have had no option other than to succumb to its criminal demands.”  

Callow said it’s common for ransomware groups to demand payment in Bitcoin—although one group, REvil, prefers the privacy coin Monero. 

“Bitcoin is the cryptocurrency of choice probably because it’s familiar and very easy for organizations’ to obtain, which can enable transactions to be completed in the shortest possible time,” he said. “In fact, some organizations actually stockpile Bitcoin in case they need to pay a ransom demand.” 

Callow added that paying ransom payments is no guarantee that criminals won’t go ahead and leak the data anyway—as it equates to no more than a “pinky promise” that the criminals will destroy the data they’ve stolen.

“I suspect they do not,” he said. “Why would a criminal enterprise destroy data that it may be able to use or further monetize?” Many hackers sell stolen data on darknet markets. 

He believes that if organizations would immediately cease paying ransoms altogether, ransomware attacks would go away. 

“To put it another way, organizations that choose to pay are helping ensure that the problem continues and that other organizations will be targeted,” he said.