In brief:
- The University of Utah is the latest higher ed victim of a ransomware attack.
- To avoid having its data leaked, the University paid the extortionists.
- It is likely the operators of NetWalker ransomware were behind the attack.
The University of Utah paid a ransomware gang nearly half a million dollars to avoid having its data encrypted—and leaked. The university has become the latest victim in a recent string of ransomware attacks aimed at higher education.
In a statement posted on its website Thursday, the university revealed that it was the target of a ransomware attack on July 19. The hackers managed to encrypt only 0.02% of the data stored on its servers, the university said.
The university did not specify whether it paid the funds in cash or cryptocrypto—and it has not responded to a request for comment from Decrypt—but one cybersecurity expert believes the hackers likely demanded BitcoinBitcoin.
The hackers zeroed in on the university’s College of Social and Behavioral Science servers, where student and employee data is stored. After the crooks threatened to leak the stolen data online, the university decided to fork over $457,059.
"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” the university said.
The university added that its cyber-insurance policy covered part of the ransom. “No tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”
The likely culprit? NetWalker
Brett Callow, a threat analyst at cyber-security firm Emsisoft, told Decrypt that the operators of NetWalker ransomware were likely behind the attack.
The group has targeted a number of educational establishments in recent weeks, including Columbia College Chicago, Michigan State University, and the City University of Seattle. Another victim, the University of California at San Francisco, ended up paying $1.14 million to the hackers after a week of negotiation earlier this month.

Researchers call on CoinMarketCap to highlight wash trading
Researchers behind a study on wash trading have called on popular data metric sites to identify the high levels of suspicious trading activity in the cryptocurrency markets. The study, published on August 20, 2020 by Blockchain Research Lab, confirms previous reports that—for the worst affected exchanges—up to 98% of trading activity might be fake. Wash trading artificially increases a crypto exchange’s reported trading volume, and can cause ill-informed investment decisions and unfair competit...
NetWalker has done well for itself, pulling in over $25 million from ransomware payments since March, according to McAfee, who recently published an extensive report on NetWalker’s activities.
McAfee researchers said they “discovered a large sum of bitcoins linked to NetWalker which suggest its extortion efforts are effective and that many victims have had no option other than to succumb to its criminal demands.”
Callow said it’s common for ransomware groups to demand payment in Bitcoin—although one group, REvil, prefers the privacy coin Monero.
“Bitcoin is the cryptocurrency of choice probably because it’s familiar and very easy for organizations’ to obtain, which can enable transactions to be completed in the shortest possible time,” he said. “In fact, some organizations actually stockpile Bitcoin in case they need to pay a ransom demand.”
Callow added that paying ransom payments is no guarantee that criminals won’t go ahead and leak the data anyway—as it equates to no more than a “pinky promise” that the criminals will destroy the data they’ve stolen.
“I suspect they do not,” he said. “Why would a criminal enterprise destroy data that it may be able to use or further monetize?” Many hackers sell stolen data on darknet markets.
He believes that if organizations would immediately cease paying ransoms altogether, ransomware attacks would go away.
“To put it another way, organizations that choose to pay are helping ensure that the problem continues and that other organizations will be targeted,” he said.