Sophos Cloud Optix
Los Angeles Valley College (LAVC) has paid a public record of $28,000 (£22,500) in Bitcoins to extortionists after ransomware encrypted hundreds of thousands of files held on its servers.
In a public statement that shares the College’s homepage with upbeat messages about visiting its campus Lion Cafeteria, LAVC said the unnamed ransomware got inside the organisation on December 30.
It was detected within hours but too late to stop IT staff being locked out of critical files held on multiple servers. In addition to losing data access, important services went down, including the College’s network, email and phone system, bringing the College to a standstill.
So far, the story replicates what has been happening behind a modesty curtain of silence in countless smaller organisations since almost untraceable Bitcoins turned ransomware into a crime that could be carried out at industrial scale.
An organisation finds itself with a figurative gun held to its head and a choice: how badly does it want those files and servers back?
In this case, LAVC appears to have left the decision to pay to the last possible moment on January 6, three days after its nearly 20,000 students returned for the new semester.
As president Dr Erika Endrijona described the process:
“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.”
That turned out to be accurate. Ransom paid, the extortionists duly delivered a decryption key even if that still left the organisation with the laborious task of unlocking each file one at a time.
But there appears to have been a second factor that played some part in the decision: LAVC had taken out cyber-insurance of a sort it believes will cover at least some of the costs generated by the incident. It’s not clear how far that coverage goes but it did give it access to “cybersecurity experts.”
There is evidence that demand for cyber-insurance is on the up in the US and the UK, albeit from a low base. However, this incident is still a rare example of an organisation citing cyber-insurance after succumbing to ransomware.
When ransomware attacks on businesses emerged, there was a view that insurance might discourage organisations from investing in better security because buying security (including restoring systems from backups over many days) would always be greater than the cost of a ransom. With ransoms now reaching tens of thousands for an attack, that might no longer be the case.
If payouts rise, so eventually will premiums, which could take them beyond some pockets. There is also the small issue of data security. LAVC said “no data breach has been identified,” but the worry remains a live one.
Bitcoin, the currency that should be able to be traced from the day it was mined to the last transaction, some how can’t be tracked when cimz use it. Past time for the coppers to take over the laundry matts, I mean BT banks, and crack some skulls.
I’m curious as to what Sophos Intercept X might have done in this case? I ask as my security vendor is currently talking to me about this.
Wonderful a whole new insurance market to exploit. But who will exploit? The criminals or the insurance companies? This sends a message to the criminals that ransomware is MORE likely to payout of people take up the new insurance.
Seems like they should spend another 28k on a proper backup solution, so they restore with minimal to no loss.
I have a feeling companies buying ransomware insurance will just make the ransom even more expensive. After all, you could maybe milk an organisation for a few thousand, but if you know they’ve got insurance to cover it then why not up it to a few tens of thousands?
…and of course, this increases the cost of premiums. Hopefully though, this will force people to ensure they have proper backups and security systems in place to prevent as much as possible, and restore should the worst happen.
This is the first time I’ve ever heard of an expert recommending making the payment. Quite often these malware actors will take your money and not provide any key.
That’s the complete opposite of everything I read – that the attackers are surprisingly professional and will follow through with the decryption key (otherwise no one would ever pay out)