A school located in Los Angeles County, California has paid computer criminals 28,000 USD after it suffered a ransomware attack. Officials at Los Angeles Valley College (LAVC) came to the decision after a ransomware infection left them with no way to recover their organization's encrypted data. As the school explains in an update (PDF):
"In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a payment was made by the District. It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost."
Los Angeles Valley College The Register reports that alternative recovery methods such as data backups and free decryption utilities weren't available to the school following the infection. The attack occurred on 30 December 2016 when computer criminals "seiz[ed] file, email[,] and messaging systems and... [held them ransom] for almost $30,000." To make sure they got paid, the attackers left the college a ransom note. It made clear the school had only a limited amount of time to pay. As quoted by The Valley Star:
"You have 7 days to send us the BitCoin after 7 days we will remove your private keys and it’s impossible to recover your files."
As of this writing, it's unclear who the actors were behind the attack or what ransomware they used to target LAVC. Fortunately, the infection did not affect winter classes at the educational institution. There's also no evidence to suggest the computer criminals stole or abused the sensitive information of staff, faculty, and students. LAVC used their digital security insurance policy to pay the attackers. It makes clear in its update that doing so has thus far helped it recover its data:
"After payment was made, a 'key' was delivered to open access to our computer systems. The process to 'unlock' hundreds of thousands files will be a lengthy one, but so far, the key has worked in every attempt that has been made."
The school's lucky. Ransomware authors are under no obligation to hand over a decryption key. And even if they do stay true to their word, coding errors in their software could prevent the decryption key from working for a victim. With that said, organizations should work towards preventing a ransomware infection by following these strategies. They should also never pay the ransomware authors unless it's their last resort. Here's what they should do before they make that decision.
