Los Angeles Valley College Ransomware Attack: 28K Paid for Key

A Los Angeles Valley College ransomware attack on January 6, 2017 resulted in student data being locked and 1,800 college administrators and teachers being prevented from gaining access to their computer system and essential files.

Ransomware is malicious software that encrypts a wide range of file types, including databases. The data is not moved or copied, just renamed and encrypted. In order to unlock the encryption, a unique key is required. The only key to unlock the encryption is held by the attacker. Payment of the ransom should see the key supplied to allow data to be unlocked, although there are no guarantees. There have been numerous instances where ransom payments have been made, yet the attackers have failed to supply a viable key to unlock the data. Unfortunately, many organizations have little choice but to pay the ransom in the hope that a viable key will be supplied.

The malicious actors behind the Los Angeles Valley College ransomware attack issued a ransom demand of $28,000 to supply the keys to decrypt the data, one of the biggest reported ransom demands issued in the past 12 months. The college was given 7 days to make the payment using the virtually anonymous Bitcoin cryptocurrency.

While many organizations have avoided paying attackers by recovering files from a backup, the college had no backup that could be used to restore the data. Administrators therefore had only two options: Pay the ransom or risk losing the data forever.

Advice was sought from cybersecurity experts on the possibility of recovering from the attack without paying the ransom. However, after a careful analysis the college was advised to pay up. If the ransom was paid the cybersecurity experts said there was a high probability that the attackers would supply a viable key to unlock the encryption. If payment was not made there was a very high probability that data would be permanently lost. Payment was made in Bitcoin by a third party and a key was supplied by the attackers which allowed data to be recovered.

The college has a cybersecurity insurance policy which should pay at least some of the cost, although at this stage it is unclear how the college will need to cover. Even if the ransom payment is covered by the policy, the college must still complete the long and laborious task of unlocking every computer that was affected. A thorough analysis of the college’s IT systems must then be conducted to ensure no backdoors have been installed. Additional cybersecurity protections are likely to be purchased to prevent further attacks from occurring. The cost of the Los Angeles Valley College ransomware attack could therefore be substantial.

The process of decrypting the computers could well take weeks and would require considerable resources, given the extent of the Los Angeles Valley College ransomware attack.

Little is currently known about the exact nature of the attack. The ransomware variant used has not been disclosed, although the attack is believed to have been random rather than targeted. A consultant brought into investigate the ransomware attack said “There were hundreds of thousands of files that were potentially affected and will take some time to know the scope of this.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news