kaptn - Fotolia

US college admits paying $28,000 ransom to cyber attackers

Los Angeles college was forced to pay ransomware attackers after being locked out of key computer systems and data

The Los Angeles Community College District has admitted handing over $28,000 in bitcoin to cyber attackers to regain access to data encrypted by malware commonly known as ransomware.

Ransomware is usually delivered through malicious links in email messages or through an infected website and typically encrypts all data on the infected machine and all other connected computers.

The ransomware attack hit Los Angeles Valley College on 30 December 2016, locking college staff out of the computer network, including college email and voicemail systems.

The college said in a statement that it had obtained the funds for the ransom and assistance of cyber security experts from a cyber security insurance policy created to deal with such incidents.

Security and law enforcement representatives routinely advise against paying ransoms because it entrenches this type of cyber criminal activity and there is no guarantee that data will be restored.

For example, after the Kansas Heart Hospital paid initial ransom demands in May 2016, the attackers granted only partial access to files and demanded an additional payment, but the hospital said it refused to pay.

The Los Angeles Valley College said the decision to pay the ransom was made in consultation with district and college leadership, outside cyber security experts and law enforcement.

“It was the assessment of our outside cyber security experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the college said.

Fortunately for the college, the attackers delivered a key for decrypting the data after payment was made. “The process to unlock hundreds of thousands of files will be a lengthy one, but so far, the key has worked in every attempt that has been made,” the college said.

Read more about ransomware

  • Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Investigators said it appeared the college had been randomly targeted and no data breach had taken place, suggesting the attack was purely aimed at forcing it to pay ransom.

Ransomware payments made in the US in 2016 could total about $1bn, according to the FBI, compared with $24m paid to cyber attackers in 2015.

Eric O’Neill, Carbon Black’s national security strategist, said data collected by the security firm supported the FBI findings.

“Carbon Black data shows that ransomware instances grew by more than 50% in 2016 compared with 2015, and that ransomware emerged as the fastest-growing malware across all industries in 2016, with major increases seen at technology companies, energy/utility companies and banking organisations,” said O’Neill.

The trend is expected to continue and to become the dominant form of cyber crime in 2017, with ransomware tipped to become more sophisticated and attacks to become more targeted.

Pursuit of profit

The pursuit of profit is cyber criminals’ primary motivation, and ransomware is the simplest and most effective way to achieve this, said researchers at Panda Security.

Security researchers expect ransomware attacks against large companies to increase because attackers will be able to demand higher ransoms, making enterprise targets more attractive.

The threat of ransomware encryption and file deletion can be minimised by solid malware protection, email hygiene and regular, offline backups.

However, Avast’s Ondrej Vlcek said cyber criminals could also download a copy of sensitive data and threaten to publish and expose the files online if the company failed to pay ransom.

“This technique is called doxing,” he said. “It has been used in hacking attacks where systems have been penetrated. While, to date, only proof-of-concept inclusions of doxing capabilities have been seen in ransomware, we are expecting to see more of this type of extortion in the wild in 2017.”

Read more on IT risk management