The University of Utah has paid a ransomware group over $457,000 in order to safeguard student information.

Despite officials at the university restoring lost data from backups, the educational institution made the decision to pay the requested ransom to prevent the cybercriminal gang from leaking the stolen student data online.

A new trend in ransomware attacks

The incident in Utah is part of a growing trend in ransomware attacks, where data files are not only encrypted, but exfiltrated as well. Ransomware groups can then threaten to publicly expose sensitive information when targets refuse to give in to their demands. This approach presents threat operators with a second layer of attack and an extortion option that effectively counters the scenario where victims have created data backups and refuse to pay for decryption keys.

In a public statement posted on its dedicated website, the University of Utah said it had sidestepped a serious ransomware incident where cybercriminals were able to infiltrate its servers and encrypt 0.02 percent of stored data. The university added that its personnel had restored the files from backups, but further threats from the ransomware group convinced the institution’s management to change tack and pay up. It commented:

“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet.”

Identifying the threat operators responsible

Although the gang behind the ransomware attack has not been officially identified, cyber security experts believe it is the work of an outfit known as NetWalker. Emsisoft’s threat analyst, Brett Callow, stated that although no concrete evidence was available at present, the ransomware group was most likely responsible for the attack on the university.

NetWalker is believed to have already accrued over $25 million from targeted ransomware attacks in 2020 and has orchestrated a recent torrent of strikes on university networks across the USA, including institutions in Chicago, Seattle, Michigan and San Francisco. NetWalker’s attack on the University of California’s network resulted in the institution paying out $1.14 million.

Callow, however, disagreed with the University of Utah’s decision to pay its attackers to prevent the data leak, and warned of the lack of practical benefits and the potential dangers of this chosen course of action. He said:

“All that organisations are paying for in this scenario is a pinkie promise from a bad faith actor that the stolen data will be destroyed. Whether the groups do ever destroy data is something only they know, but I suspect they do not. Why would they? They may be able to monetise the information at a later date or use it for spear phishing or identity theft.”

Callow’s sentiments have been echoed here in the UK, where many government ministers are calling for stricter laws to stop companies from paying ransoms, arguing that the action only encourages cybercriminals to continue their malicious campaigns.