US college pays $28,000 to get files back after ransomware attack

Los Angeles Valley College (LAVC) has paid a public record of $28,000 (£22,500) in Bitcoins to extortionists after ransomware encrypted hundreds of thousands of files held on its servers.

In a public statement that shares the College’s homepage with upbeat messages about visiting its campus Lion Cafeteria, LAVC said the unnamed ransomware got inside the organisation on December 30.

It was detected within hours but too late to stop IT staff being locked out of critical files held on multiple servers. In addition to losing data access, important services went down, including the College’s network, email and phone system, bringing the College to a standstill.

So far, the story replicates what has been happening behind a modesty curtain of silence in countless smaller organisations since almost untraceable Bitcoins turned ransomware into a crime that could be carried out at industrial scale.

An organisation finds itself with a figurative gun held to its head and a choice: how badly does it want those files and servers back?

In this case, LAVC appears to have left the decision to pay to the last possible moment on January 6, three days after its nearly 20,000 students returned for the new semester.

As president Dr Erika Endrijona described the process:

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.”

That turned out to be accurate. Ransom paid, the extortionists duly delivered a decryption key even if that still left the organisation with the laborious task of unlocking each file one at a time.

But there appears to have been a second factor that played some part in the decision:  LAVC had taken out cyber-insurance of a sort it believes will cover at least some of the costs generated by the incident. It’s not clear how far that coverage goes but it did give it access to “cybersecurity experts.”

There is evidence that demand for cyber-insurance is on the up in the US and the UK, albeit from a low base. However, this incident is still a rare example of an organisation citing cyber-insurance after succumbing to ransomware.

When ransomware attacks on businesses emerged, there was a view that insurance might discourage organisations from investing in better security because buying security (including restoring systems from backups over many days) would always be greater than the cost of a ransom.  With ransoms now reaching tens of thousands for an attack, that might no longer be the case.

If payouts rise, so eventually will premiums, which could take them beyond some pockets. There is also the small issue of data security.  LAVC said “no data breach has been identified,” but the worry remains a live one.