Higher Ed Hit Extra Hard by Ransomware: Experts Weigh In

Colleges and universities are getting hit hard — not just by their pandemic enrollment woes and coronavirus parties — but by ransomware attacks.

Recently, we learned that the University of Utah paid out $457,000 to their ransomware attackers. That’s the price tag for what administrators described as 0.02% of university’s data on the targeted servers, which included sensitive employee and student information.

After the university’s cyber insurance company paid out the cash, administrators ensured the community that it was properly prepared for such an attack and would be more vigilant in the future.

“The university still has vulnerabilities because of its decentralized nature and complex computing needs. This incident helped identify a specific weakness in a college, and that vulnerability has been fixed,” UU officials wrote in a public statement. “The university is working to move all college systems with private and restricted data to central services to provide a more secure and protected environment.”

A Common Target

UU is the latest victim of a major ransomware attack – universities have become a major target in recent months. In June, Inside Higher Ed covered the spike in ransomware attacks at Michigan State University, University of California-San Francisco, and Columbia College Chicago.

At UCSF, the medical school ended up paying more than a million dollars in just one attack.

Per the university: “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

What the Experts Say

That said, the conventional wisdom is don’t pay. Spirion attorney Scott Giordano recently told the attendees of the New York City Virtual Cybersecurity Summit that it’s not the best idea, not only on a legal level, but also on a moral level.

“You’re feeding the monster, and every time you feed the monster, the monster gets bigger. And that means, when the monster comes back again, it’s going to be more money,” Giordano said.

Though, the cost of handling the damages inflicted from a breach — whether that’s in stock prices in a public company, public relations costs, and the other damages wrought by a ransomware attack may far exceed the ransom requested by hackers, according to Gil Azrielant of Axis Security.

“In 96% of cases, paying does give you your data back. It’s a small fraction in comparison, and I think the enterprise has bigger concerns,” he said. Paying the ransom is a small price to pay when one considers the massive costs incurred in a public breach.

So, pay or not? Leave your thoughts on the topic in the comments.