Cyber Incident Victim: University of Utah

On or around August 24, 2020, the University of Utah experienced a ransomware attack targeting servers within its College of Social and Behavioral Science (CSBS). The attackers compromised approximately 0.02% of the university's stored data, specifically accessing sensitive information belonging to students and employees. Following the encryption of systems, the threat actors issued a dual extortion demand—requiring payment not only to restore access but also to prevent public release of the stolen data. University officials isolated the affected CSBS servers from both campus networks and the internet upon detecting the intrusion. They engaged law enforcement agencies and contracted an external cybersecurity consultant specializing in ransomware incidents to assist with forensic analysis and incident management.

The university restored affected systems using backups, confirming no compromise to central IT infrastructure. Despite this recovery capability, administrators authorized a $457,000 ransom payment through the institution's cyber insurance policy after determining the financial and reputational risks of potential data exposure outweighed the immediate cost. This payment constituted a preventive measure against public dissemination of exfiltrated records rather than a requirement for decryption tools. Internal investigations revealed no evidence of threat actor persistence in university systems post-remediation. The institution acknowledged undisclosed residual vulnerabilities in its environment and initiated security enhancements, including migrating college-level systems storing restricted data to centrally managed services with strengthened protective controls. Public communications advised the university community to maintain password hygiene but did not confirm whether credential compromises contributed to initial access.