A Los Angeles community college recently paid US$28,000 (£23,000) after it was left with no recourse but to cave to a ransomware attacker's demands. Los Angeles Valley College is believed to have suffered the attack on New Year's Eve, with the ransomware taking hold of the data of a potential 1800 staff and 20,000 students.
While classes went ahead as usual, students and staff were reportedly locked out of critical computer systems and resources. It is not known exactly what was encrypted but it was apparently enough to paralyse day-to-day operations enough that the college ended up paying the ransom. A message from Dr Erika Endrijonas, president of the college said, “It was the assessment of our outside cyber-security experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.”
The message added, curiously, as of 6 January, “at this early stage of this complex investigation, no data breach has been identified”.
As-yet-unidentified attackers apparently told the school to pay the ransom in bitcoin within seven days or the encryption keys would be thrown away making the encrypted data impossible to recover. This may have been avoidable if the college had backed up its data, which it apparently did not.
Jonathan Sander, VP of product strategy at Lieberman Software told SC Media UK that that could have been avoided: "The key phrase in the LA schools ransomware story is that they had no other choice but to pay since they lacked a backup. Ransomware is not an act of God. In most cases it can be prevented by being careful with email and phishing attacks or remediated by having good backups.”
Sander added, “of course, to maintain good backups an organisation needs good IT staff and equipment. Neither is free. Schools, especially big city schools, don't tend to have the money for that. And when they get stuck with big ransomware payouts, then they have even less money for their mission."
The Los Angeles Community College District (LACCD) which governs Los Angeles Valley College has a cyber-security insurance policy which came into effect during the attack but it is not yet known whether the policy will reimburse the college for actually paying the ransom.
The cyber-security unit of the Los Angeles Sheriff's department are investigating the attack and security company, the Crypsis Group have been employed to aid, according to the LA Daily News.
Dr Francisco Rodriguez, chancellor of the LACCD released a statement in the wake of the attack. The Chancellor told press that the District was currently working with local and federal authorities to learn more: “ Our top priority in resolving this incident is ensuring that the security and privacy of our students and employees is protected. The District will provide updates as additional details are confirmed. In the meantime, we will continue working with law enforcement on their on-going investigations.”
The US Federal Bureau of Investigation recently said that ransomware is on track to become a £1 billion dollar industry. While ransomware is recognised within the security industry as one of the greatest cyber-threats to organisations in 2016, others have been slower to realise it. The now common advice of backing up data to pre-empt ransomware attacks seems to have not been taken on board the Los Angeles Valley Community college.
This news comes on the tail of reports that ransomware campaigns have been targeting UK schools and charging up to £8000 for the release of kidnapped information. Steve Morgan, security advisor at Sophos told SC that a recent survey showed the UK education sector in a similarly confused light about these kinds of threats. Morgan told SC: “The severity of the breaches vary from data loss to ransomware, but the issue still remains, that schools are a target and these breaches are destroying schools' reputation and productivity. For this reason it is imperative that schools are aware, prepared and educated about these threats.”
Many don't consider ransomware as dangerous as they perhaps should: “Only 14 percent of those surveyed view ransomware as their biggest concern, highlighting that despite its growing awareness throughout 2016, there is still a lack of awareness about ransomware.”
Vince Warrington, cyber security lead at the Financial Conduct Authority offered some insight as to why that might be to SC: “in my experience IT in British schools is almost on a ‘best endeavours' basis. Typically schools tend to spend very little on their IT infrastructure, and almost nothing beyond very basic cyber security measures.”
If there isn't a senior official who is worrying about IT security, then there don't tend to be a lot of resources devoted to it.Warrington added, “I know a couple of primary school teachers and they've never had any information on cyber security outside of what they have discovered themselves. So a low-level of knowledge amongst the staff and a lack of investment are one of the reasons why we see schools getting hit hard.”