Ransom probably isn’t the right term, it’s more like extortion. Failing to pay is hardly the moral high ground. It’s just the least expensive option. Businesses aren’t held accountable for their breeches by the US justice system and so facing the courts and captive customers/staff is the cheap and easy way out.
Not surprising. University of Texas has something like 55,000 subdomains. I don't think 50 full time sysadmins/cybersecurity people could keep that secure.<p>Also interesting of note, why does UTexas's name servers point to University of Illinois's name servers?<p>Could be nothing. After all UI was where Firefox was developed originally by Marc Andreesen and others around 1994. This is also where the Apache web server was created.
Within the EU, GDPR seems to have an interesting impact on how companies/organisations respond to cyber attacks like this: if they don't pay the ransom, the data is leaked, and they are now liable under GDPR and will likely have to pay a (very large) fine to the regulator for the data leak. Attackers are surely savvy to this, and should set the ransom to be slightly lower than what they estimate the fine would be, which 'motivates' the organisation to pay the ransom.<p>In theory however, even if the organisation recovers the data by paying the ransom, they should still report this as a data breach, and would probably be fined by the regulator even though the data was recovered, since the breach still occurred in the first place.<p>I'd be very interested to know the impact the new California state laws on privacy have had on UC's decision to (seemingly) pay the ransom; I'm not based in the US, nor am I familiar with the jurisdiction, but I imagine that this will have been taken into account and might explain why UC acted differently to MSU here.