A ransomware attack on an LA Valley College on the 6th of January, 2017 lead to student data being locked and resulted in some 1,800 college staff – both administrators and teachers – being unable to gain access to their computer system and essential work files.
Ransomware is a form of malicious software. The purpose of it is to encrypt a large range of file types, which can include databases. The data contained on the files is not in fact moved or copied, but renamed and encrypted. In order to unlock the encryption, a unique key is needed. This key (which is the only one capable of unlocking the encryption) is retained by the attacker. The attacker will then demand a ransom be paid for the key. This should see the key transmitted to allow the data to be unlocked, however there is no guarantee that the attacker will release the key on payment of the ransom. On a number of occasions ransom payments have been made by victims, however the attackers have then failed to provide a viable key to unlock the encrypted data. Sadly, given the nature and importance of the encrypted information, numerous organizations have little or no choice but to accede to the ransom in the belief that a viable key will indeed be supplied.
The wrongdoers responsible for the Los Angeles Valley College ransomware attack communicated a ransom demand of $28K to provide the keys which would decrypt the data, this being one of the biggest known ransom demands issued over the previous year. The college was afforded one week to make the payment via the almost completely anonymous Bitcoin cryptocurrency.
Although many targetted organizations have managed to avoid paying attackers by recovering the encrypted files from a backup, unfortunately in this case the college had no viable backup to restore the data. Administrators therefore where left with a stark choice: Pay the money that had been demanded or take the risk of losing the data permanently.
Expert advice was requested from cybersecurity specialists regarding the feasibility of recovering the data concerned without paying the ransom. Nonetheless, following a detailed analysis the college was advised to make the payment. The cybersecurity experts concluded that there was a high probability that the attackers involved would provide a viable key to unlock the encryption upon payment of the ransom being received. Without the ransom payment being made there was, unfortunately, a very strong probability that the encrypted data would be lost forever. The payment was made using the Bitcoin currency via a 3rd party and ultimately a decryption key was indeed provided by the attackers which permitted the locked data to be recovered.
The LA college benefits from cybersecurity insurance policy which should pay at least part of the cost incurred, however at this point it remains unconfirmed how much the college itself will have to cover. Even in circumstances where the ransom payment turns out to be covered in its entirety by the policy, the college will still have to complete the long and difficult task of unlocking every single computer that was affected by the attack. A detailed analysis of the college’s IT systems will then be conducted to guarantee that no backdoors were installed during the attack. It is also probable that further cybersecurity protections will be purchased in order to prevent future attacks from taking place. The overall cost of the ransomware attack will therefore likely prove to be considerable.
Given the size of the LA Valley College cyber attack, the procedure required to decrypt the computers may well take several weeks and could require significant resources.
Few things are clear about the exact form of the ransomware attack. The ransomware variant used has not been yet been made public, however initial indications are that the attack was random rather than pre-targeted. A consultant hired to investigate the incident has indicated that hundreds of thousands of files may have been affected and it will take some time to fully evaluate the scope of the ransomware attack.