University of Utah pays more than $450,000 in ransomware attack on its computers

The University of Utah paid extortionists almost half a million dollars after a ransomware attack on some of its computer servers, and is now telling students, staff and faculty to change their university passwords.

According to a statement issued by the university, it paid $457,059.24 to an “unknown entity” that hacked the College of Social and Behavioral Science servers on July 19, rendering them “temporarily inaccessible.”

The cyber criminals encrypted about 0.02% of the data stored there before the U.‘s Information Security Office detected the attack. The university did not specify the threat, but ransomware attacks involve criminal groups that hack into and steal data; encrypt it so that its owners cannot access it; and demand payment to release the data — often threatening to release sensitive information if their demands are not met.

The police were contacted and the university engaged “an outside consultant with expertise in handling these types of situations.”

The affected servers were “immediately isolated from the rest of the university and the internet.” The servers were “cleaned, and college data was reinstalled from system backups.” But because it included employee and student information — and after “careful consideration” — the ransom was paid “as a proactive and preventive step to ensure information was not released on the internet.”

According to the statement, the U.‘s cyber insurance policy paid “part of” the $457,059.24 ransom, and “the university covered the remainder.” The U. did not specify the breakdown, but added that “no tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”

The university is “still reviewing” exactly what data was accessed, and promised an update “when more information is available.”

Ten days after the attack, students, staff and faculty were told to change their university passwords. According to the university, the delay was because there had to be “a full understanding of what information may have been stolen and how access was gained” as it worked “with law enforcement to determine what steps” should be taken.