The University of Utah says it paid more than $455,000 to criminals who attacked the school in a successful ransomware/extortion scheme last month. While the university says it thwarted the first part of the attack, with only 0.02% of data encrypted, it worked with its insurance company to pay to prevent the release of students' personally identifiable information (PII) exfiltrated in the second piece of the crime.
The University of Utah is not the first university to pay up this year. Indeed, extortion is growing as a component of attacks ranging from ransomware to distributed denial-of-service (DDoS), and criminal gangs are using to compel payment even when a primary attack is mitigated. While there are numerous examples of organizations paying to avoid the extortion component of an attack, experts warn against trusting the criminal organizations to honor their promises.
"The decision to pay a fairly important ransom will likely bolster sophisticated attacks against US universities that are already surging," says Ilia Kolochenko, CEO of ImmuniWeb. "Hackers will not necessarily honor their nebulous promises and release the data even after being fully paid."
Worse, experts say, data that is not publicly released may still be shared with identity theft and spear-phishing gangs for further exploitation of victims.