Ransom was paid to hackers by college
“Malicious actors” were behind August’s crippling cyberattack
When “malicious actors” carried out a cyberattack on Regis University last August — crippling the Denver campus’s IT network and downing phones, email and Wi-Fi — university officials paid the hackers a ransom in hopes of restoring their incapacitated systems.
Yet even after that payment, which Regis leaders publicly revealed for the first time to The Denver Post, the cyberattack still impaired day-to-day operations at the private Jesuit college for months.
Regis officials had not previously acknowledged the attack involved ransomware, which can render computer systems inoperable until the target meets hackers’ financial demands.
“The attack hit us the morning students were moving back to campus,” said Salvador Aceves, Regis’ senior vice president and chief financial officer. “It was a rather precarious time for us … That was certainly a time where just as we’re trying to have students settle in, we also had the unfortunate and needed reality of shutting down our systems. We
were trying to ensure we had all the possible opportunities to restore or rebuild available at that time.”
Aceves declined to say how much the university paid the hackers. University officials also have not revealed how much they’ve spent on recovery from the attack, which led them to distribute paper course schedules to students last fall and post signs on campus that read, “Enjoy a break from the connected life.”
On Tuesday, Regis is holding a cybersecurity summit nearly six months after the university’s systems were hacked, gathering professionals from across the country to publicly talk about the ransomware attack and share what the institution and others impacted have learned, all in a bid to help prevent such incidents from happening again. The FBI was involved in investigating the Regis cyberattack along with a private data recovery company, Gillware, that combed through the system to try to figure out what happened, Aceves said.
“The thing we were most concerned about was making sure there was no compromise when it came to our data,” Aceves said. “I’m happy to say, at this point, there was no evidence found that indicated that these malicious actors compromised our data.”
When attacked by ransomware, Regis University and a growing number of American institutions such as government agencies, health care systems and even entire cities are forced to fend off a digital kidnapper of sorts.
“Ransomware is a virus that encrypts most files or all files on a computer to the point that your computer is not usable,” said Greg Williams, director of IT operations at the University of Colorado Colorado Springs and a cybersecurity professor.
To initiate an attack, a hacker can shoot off an email to an employee, luring them to click a link or download an attachment that begins infecting the computer. That can quickly spread to linked computer and IT systems, devastating entire institutions or businesses, Williams said.
“In the case of the businesses that pay, it’s probably because they don’t have backups to the things they need to continue running,” Williams said, noting that UCCS was hit with a cyberattack in 2014, but declined to pay because the campus had good backup systems. “It’s basically holding your data hostage until you decide to either pay the ransom or not pay it.”
The ransom can be paid out in a digital currency like Bitcoin.
“It’s happening quite a bit,” Williams said. “It’s happening to every kind of business.”
To prevent such attacks, Williams said it’s important to educate employees not to open attachments or click on links when they don’t know what they’re opening. Having a good digital security program, solid anti-virus software and keeping software up to date is also important, Williams.
Further details of Regis’s cyberattack weren’t made public prior to Tuesday’s summit. But Shari Plantz-Masters, dean of Regis’s College of Computer & Information Sciences, said the university wants to share its story to prevent other digital catastrophes.
Tuesday’s summit at the university features industry professionals — including staffers from the Colorado Department of Transportation, which battled a cyberattack in 2018 — talking about best practices in handling attacks and prevention.
“Even five years ago, an organization that was attacked wouldn’t tell anybody,” Plantz-Masters said. “There was the idea that you can’t publish what has happened to you because it shows you’re vulnerable. It’s become so prevalent that if you don’t band together, you’re going to have a real tough time combating this.”