Avoiding Ransomware: Case Study on University of Utah's $457,000 Payment to Malicious Hackers



At the end of last week, ZD Net reported that the University of Utah paid $457,000 to malicious hackers who threatened to disclose university information following a ransomware attack. Subsequent reporting indicated it was the NetWalker gang - who was also responsible for a similar attack against Michigan State University earlier this summer (Michigan also paid).

Here’s the thing. There’s a good chance the attackers will probably release that data at some point in the future anyway. We know from analysis on those selling ransomware and leaked data that there is significant overlap between the two groups (CYR3CON conducted this research back in 2016 – see figure below).

Figure 1. Relationship between ransomware sellers and leaked data sellers in online hacker communities.

 Vendor Market Network

What’s even more interesting is that the whole incident was likely avoidable. The FBI released a warning on the NetWalker ransomware group in July and cited two vulnerabilities that NetWalker was using. The CYR3CON platform has been tracking intelligence on these vulnerabilities and making predictions on them since late 2019. For example, the PCS vulnerability described by the FBI was hovering around a 10x likelihood of exploitation since late August of 2019 – nearly a year before this recent event broke. These are what we would refer to as “ignored threats” – threats that are knowable for a long period of time but not acted upon in a proactive manner.

Figure 2. Changes in predictions to the PCS vulnerability reportedly used by NetWalker


Why do organizations continue to suffer these attacks? At the time of this writing, there were 1,425 vulnerabilities disclosed (NIST) and (according to a recent study by Palo Alto) about 1% of software vulnerabilities disclosed in 2020 have been actually used in an attack. Organizations fail to prevent these attacks because they fail to patch the right vulnerabilities.

In 2019, Ponemon reported that organizations, on average, spend $103,000 on identifying vulnerabilities and their associated threats. This is small when you compare it to what the University of Utah paid in ransom (over four times as much as an average vulnerability management budget) – not to mention costs associated with things like notifying students and employees, post-breach remediation, and reputation harm. It seems like organizational calculus on risk needs to be revisited.

It brings to mind Ben Franklin’s famous quote: “an ounce of prevention is worth a pound of cure.”

CYR3CON offers companies and organizations the opportunity to uncover these ignored threats using our Find Ignored Threats (F.I.T.) Assessment.  Complete the form or contact the CYR3CON team to schedule your assessment today. 

Also, we invite you to register for our upcoming webinar with the ISC(2) Bangalore team titled Do More with Less: How Small Teams Use Intelligence to Prioritize Large Numbers of Vulnerabilities in the Age of COVID-19 on August 27th at 9:30 am EST.