A school in Los Angeles has made the decision to hand over $28,000 to cyberattackers to regain access to locked computer systems infected with ransomware.
Los Angeles Community College District (LACCD) school, the Los Angeles Valley College (LAVC), was targeted by a strain of ransomware which quickly spread across the school's servers on New Years' Eve.
Services were disrupted for thousands of staff and students as the malware removed access to systems and demanded a fee in Bitcoin in return for a key that could be used to decrypt systems and restore access.
According to campus media the Valley Star, a note was left on one of the servers which read:
"You have 7 days to send us the BitCoin after 7 days we will remove your private keys and it's impossible to recover your files."
The creators of the ransomware also left detailed instructions on how to make the payment with cryptocurrency and linked to a 'demo' website which permitted the school to decrypt two files for free.
Computer, online, email and messaging systems were affected, with those connected to the college left unable to leave voicemails for the school or connect to email services beyond student accounts.
Faced with these problems, LAVC chose to pay up.
In a report on the incident (.PDF), the Los Angeles Community College District said that after consulting district leaders, "outside cybersecurity experts and law enforcement," the payment was made.
The majority of the time, cybersecurity experts advise not to pay up as there is no guarantee that you will regain your locked and encrypted files -- and all you are doing is fuelling the industry and use of such ransomware.
However, when it comes to businesses, as well as critical services such as hospitals and schools, staying true to this can be extremely difficult as the consequences of not being able to access core computer systems can be far more debilitating than biting the bullet and paying up.
In the school's case, although there is no word on which particular strain of ransomware was at fault, it does not appear to be one of many that security researchers have already cracked for the creation of free rescue tools.
As such, rather than lose all of its data (although you have to wonder what backups, if any, were available), a payment was made.
"It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost," the report says.
The Los Angeles Community College was lucky in the respect that after paying the ransom, a key was delivered which successfully restored access to systems -- although the process will be a long one.
It is not always the case and many victims pay the demand only to find ransomware strains do not always have the capacity to issue decryption keys or fulfill their promise.
While the school is rapidly working to restore student, faculty and employee data at LAVC, an investigation is ongoing to determine whether a data breach has also taken place.
The case does highlight the need for businesses to consider cyberinsurance policies, however. The school was able to pay for the key due to an insurance policy bought "to address these specific types of cyber intrusions," and so, at the least, funds were not stripped from the college itself.