back to article Utes gotta be kidding me... University of Utah handed $457K to ransomware creeps

The University of Utah has admitted to handing over a six-figure pile of cash to scumbags to undo a ransomware infection during which student and staff information was stolen by hackers. The American school that gave the world science fiction author Orson Scott Card, ballistic missile designer Simon Ramo, and NBA player Keith …

  1. DavCrav Silver badge

    "University of Utah says that none of the money it handed over to the criminals came from the student tuition, grants, or state taxpayer funds it takes in. Rather, a portion came out of a "cyber insurance" policy it keeps and the remainder was from the school's private accounts."

    Yers, it came from the money here in this corner of our bank account. Not the other half where tuition fees are paid in.

  2. Doctor Syntax Silver badge

    "After careful consideration, the university decided to work with its cyber insurance provider"

    I hope the insurers in these cases are adjusting the claimants' future premiums to levels that will encourage them to be a bit more careful and impose conditions that, if not met, could result in claims being refused in future.

  3. sanmigueelbeer Silver badge

    The way I see it, the school has no choice but to pay up.

    If any of those pilfered files hit the internet, the school will be paying more from litigation.

    On the other side of the world, ASIC sues financial services company for repeated hacks. (And take note the company is an affiliate to an Australian bank.)

    In those two cases, a computer was infected with ransomware that rendered the files on it inaccessible, and a network being hacked by remote access resulting in a data breach affecting 226 client groups.

    The unknown hacker obtained access via an FFG staff account, and spent more than 155 hours logged into the file server that contained senstive financial information and client identification documents.

    KPMG's forensic analysis also found crypto miner malware on the file server, as well as a virtual private network being set up, a peer-to-peer file sharing application, hacking tools and brute-force password cracking software.

    I'll let y'all read this article. It's them "what else can go wrong" moment.

    1. Yet Another Anonymous coward Silver badge

      >The way I see it, the school has no choice but to pay up.

      Unless the money was going to terrorists or countries under a US embargo.

      1. Alan Brown Silver badge

        > Unless the money was going to terrorists or countries under a US embargo.

        I believe that US federal law makes it illegal to pay extortionists of any kind

  4. jezza99

    Are they kidding? If I were a hacker I know which University I would target next.

    I can’t see how paying a ransom is ever a good idea.

  5. Richard Boyce

    Insurer

    Can an insurer require that a ransom be paid, with an excess, by specifying that it will only cover the cheapest recovery method?

  6. Nifty Silver badge

    2 theories here:

    1. The backup regime was so slack, the administration was dead in the water without decryption.

    2. The skeletons on cupboards were worth more than the cash handed over.

    Go figure. But also look at the last job ads they placed for their IT staff, to see how realistic they were for the real world.

    1. sanmigueelbeer Silver badge

      The backup regime was so slack, the administration was dead in the water without decryption.

      I am not surprised at this at all. US-based schools and universities are easy target. Not only are the majority of the IT systems running on antiquated equipment with unpatched OS, they probably have trouble keeping talent on-board due to lack of fundings.

    2. Alan Brown Silver badge

      > 1. The backup regime was so slack, the administration was dead in the water without decryption.

      If you check the El Reg webinar on this a couple of weeks back, you'll know that the attackers may sit on the network for a couple of years before pulling the trigger. Backups of encrypted files aren't much use without keys and if you rotate your tapes in a shorter period..... oops.

      (and of course if you do D-D-T or backup to disk, then your backups are vulnerable to being trashed, as many people have found out over the years)

  7. jgarbo
    Facepalm

    Utah Retard School

    And the hackers were honest enough not to copy the data before encyption and ransom payout, then use it again? OK Professors, what are 2+2?

    1. Pascal Monett Silver badge

      Re: Utah Retard School

      Exactly. The school did not choose to pay to not let the information out, the school chose the pay-and-pray-they'll-keep-their-word option.

      You're dealing with criminals, their word is a good as their deed.

      On the other hand, from a marketing point of view, it's bad for business if you hack someone, get the ransom and then let them hang. So I guess the hackers are kind of forced to keep their word because if hackers are known to screw you once you've paid, there would be zero incentive to pay, right ?

      1. Richard 12 Silver badge

        Re: Utah Retard School

        Depends on who the hackers are selling the data to, really.

        Paying up just means they probably won't post it publicly, they'll be charging other miscreants for access instead.

        After all, if the mark paid half a million for them to keep schtum, the data must be worth a fair bit to the right buyers.

  8. Alan Brown Silver badge

    Danegeld

    The problem with paying Danegeld is that it gets rid of the immediate problem at hand, but it doesn't get rid of the Dane in the long term

    Several of these hacking crews have turned out to be connected to high level Russian politicians - hence arrests in Thailand, etc etc.

    At some point it's going to be cheaper (and more effectiive) to start paying for targetted assassinations.

  9. Claverhouse Silver badge
    Meh

    On The Other Hand...

    Most American Universities are floating on a sea on money that would dwarf the income of a small nation --- particularly Stanford ( $6.5 billion ) and California U ( $7.5 billion ). Utah U has an endowment of $1.225 billion and a budget of $4.83 billion. This payment is nothing to the wealthy --- which in the present world includes most of America.

    I recently referenced an article by Matt Taibbi, in a 2009 piece * he explained Obama gave $306 billion to Citigroup in the bailout after appointing Citigroup people to Team Obama. He was widely applauded for this by his fellow countrymen, but the fact is this is an unimaginable sum for most people. The University has to consider the best outcome, and very very often the best way to solve a problem is to throw money at it.

    .

    The president, Dr. Ruth V. Watkins, makes more than this in base pay each year, $537,245.

    Maybe they could invest in paying their lesser workers --- including IT staff --- rather more than the least they can get away with.

    .

    .

    * https://www.commondreams.org/news/2009/12/13/obamas-big-sellout-president-has-packed-his-economic-team-wall-street-insiders#

    1. Hawkeye Pierce

      Re: On The Other Hand...

      Unfortunately that article you link to regarding Citigroup is incorrect in a number of places.

      First and most importantly, the deal was arranged by the Bush administration not Obama. Secondly the Government did not "give" $306 billion. The total sum handed over amounted to some $45 billion over two tranches with the headline $306bn coming from the value of the loans that the Government agreed to take any losses on... potentially that could have amounted to $306bn but realistically was going to be nothing like that amount. Also the bailout was not a gift - it was a loan and the Government received a sizeable stake in Citigroup itself as part of the deal.

      And - albeit with the benefit of hindsight - a pretty successful financial transaction too for the Government as they've made around $15bn profit on the repaid loan and the sold shares in Citigroup.

  10. Potemkine! Silver badge

    that the school opted not to risk having it get out.

    It's a well known fact that cybercrooks can be trusted and they won't use these data in anyway once the ransom paid. And pigs fly too.

  11. Claptrap314 Silver badge

    Umm...

    ... guidance of a security expert who is an afilate of the ransomware group ...

    FTFY

  12. DJ

    Thank you for your down payment

    It says the wizards at the uni paid the ransom "... to reverse an attack...".

    Doesn't say if they got their data back or not.

    I'm guessing not.

  13. More Jam

    "The American school that gave the world science fiction author Orson Scott Card, ballistic missile designer Simon Ramo, and NBA player Keith Van Horn"

    Also the employer of Elliott Organick. How are the mighty fallen...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020