Lions and tigers and tech, oh my!

it’s just amazing how often we are assaulted at work. It’s becoming harder and harder in the medical community to not be distracted by the overwhelming care, maintenance and complications of tech society.
It must take a special breed of person - with extraordinary intelligence and zero compassion - to want to exploit the systems designed to protect and enhance the care of our most vulnerable populations.

University of Utah pays $457,000 to ransomware gang

As mentioned I don’t get why the U paid the ransom as there are no guarantees the data was destroyed and the sensitive info was secured. Feels like a bad choice to me.

Ransomware is just nasty. I work for a software company. Lots of our customers have their instances hosted by our servers (which are quite secure) but other customers have their own servers running our software. Over the years a few of them have been victimized by ransomware and it has cost them time and money recovering. Usually it’s not been a matter of sensitive information, but a loss of functionality.

The trick of course is if you decide to pay up, do you know for sure you won’t be asked for more $$$$ down the road.

2 Likes

The payment was largely from insurance.

2 Likes

The problem is that the system is only as strong as the weakest link, so if someone opens a suspicious email or visits a questionable website, all of the reasonable security measures a company can take - especially a university that prides itself on being open to the world - are for naught.

1 Like

Truth.

Here’s a sobering reference point. IT Sec is one of several hats I wear.

One of my colleagues was at a barbeque in Palo Alto, bumps into a IT Security engineer from Google, they converse of the craziness of IT Sec and the growing threats, etc.

The Google IT Sec engineer mentions in passing that he’s been recruited to “switch sides”, work for the bad guys… for $10 Million a year.

That’s NBA / MLB money. Have to relocate out of the country, depending on what NSA/CIA find out, might not be able to come back to the US. But for a 25 year old whose girlfriend just dumped him… that might be an offer some of them take up.

This is an utterly insane reality the grad students and comp sci wizards at the U never imagined when they were pioneers in putting the Internet together, back in 1970, with their colleagues at Stanford & UCLA.

2 Likes

This seems embarrassing.

1 Like

So disappointed in the U; preventable cause, misguided solution.

What is the university supposed to do in this position if not pay the ransom?

1 Like

What is embarrassing to me is that an organization as sophisticated as the U. allowed this to happen. I may be wrong, of course.

As mentioned, the security is only as good as the weakest link, and so this could have been the lowest level employee who clicked on a link that allowed the hack to happen.

Regarding @sancho question, there are a few reasons to NOT pay the ransom

  1. Often ransomware will encrypt your data so you can’t access it and they won’t unencrypt the data until you pay - this was not the case in this instance, meaning their backups were sufficient that they didn’t lose anything (substantive at least). In these instances though where they have you over a barrel, then you really have no choice. So in this case they could have said, “You controlled nothing… pound sand.”

  2. However, it sounds like they had sensitive student info and so this group threatened them by saying they would put it out there unless they paid them lots of money. The problem is how do you guarantee that they’ll do what they say they will do and actually delete the information and not retain copies for further extortion or whatnot? You are basically hoping bad actors won’t be bad actors. So in other words they take your money and release the info anyway.

  3. Paying a ransom is just like what you see in the movies. When a large organization pays a ransom like this it emboldens others to attempt to do the same. “We don’t negotiate with terrorists” is the line of thinking on this.

As @stonguse mentioned, it sounds like the majority of this was paid by insurance, so there is that. And I suppose you can argue that it is 100% guaranteed they’ll leak student info if you don’t pay, and maybe 50/50 if you do. I wonder if that expense was weighed against whatever expense they’d assume by trying to protect the students with leaked data (and we don’t know what that is). There could be lawsuits, or it could be as simple as buying credit monitoring services for the affected students.

One thing I do know for sure though is I would not be publicizing that the U had paid a ransom, I wonder how that got out. I know it is a public entity, but…