Los Angeles Community College Pays Hackers $28,000 Ransom
By Dana Bartholomew
When a malicious hacker locked out 1,800 staff and teachers from their computers at Los Angeles Valley College this week, college administrators faced an agonizing choice: pay a ransom or leave 20,000 students in the lurch.
They elected to pay a $28,000 ransom. In bitcoins.
"In consultation with district and college leadership, outside cybersecurity experts and law enforcement, a payment of $28,000 was made by the District," Los Angeles Community College District Chancellor Francisco C. Rodriguez, in a statement Friday.
"It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost."
Computer systems throughout the Valley Glen campus suffered a massive meltdown Friday that continued through the New Year's holiday into the start of college's winter session.
While classes that began Tuesday were conducted as usual, 1,800 Valley College administrators and teachers were shut out from hundreds of computers, crippling access to spreadsheets, lesson plans, emails, voicemail, even the LAVC website.
District computer techs soon discovered the culprit: a ransomware virus spread by an anonymous hacker to randomly infect the entire college computer system.
Not unlike the growing number of cyber attacks that have cost businesses, hospitals and even police departments and government agencies hundreds of millions, the hackers demanded money in exchange for access to campus computer data.
"You have 7 days to send us the BitCoin after 7 days we will remove your private keys and it's impossible to recover your files," said a ransom note inserted on a college server, according to the campus newspaper.
After the payment was made via a third party Wednesday, according to the college district, a "key" was delivered to unlock computer systems.
It may take weeks to unlock every campus computer, officials said, as well as to assess the damage to computer systems. It's also unclear how much of the cost will be covered by the district's cybersecurity insurance policy.
An investigation is being led by a Los Angeles Sheriff's Department cyber security unit. A computer security firm, The Crypsis Group of Virginia, was hired for an unknown sum to delve into the nature of the attack.
Officials say it was ultimately cheaper to pay the $28,000 ransom than to remove the unidentified ransomware virus -- and risk the loss of precious staff, faculty and student files.
At this point, no one could say whether the extortionist was domestic or from overseas. No data breach at L.A. Valley College was identified, college district officials said, nor were any of its eight other community college campus computer systems infected.
"It's still very early in the investigation," said LACCD consultant Yusef Robb. "The first task was to make sure classes were up and running and that data could be recovered.
"There were hundreds of thousands of files that were potentially affected and will take some time to know the scope of this."
Last month, a Nigerian national and others were charged in connection with hacking Los Angeles County emails that might have exposed personal data from nearly 800,000 people who had conducted business with county departments. The attack occurred May 13.
Last February, a ransomware attack demanded Hollywood Presbyterian Medical Center pay $17,000 in bitcoin to restore access to its computer system. Last Thanksgiving, a hacker demanded $73,000 to unlock a San Francisco transit system, but Metro Muni officials refused to pay while fending off the cyber assault.
A new law written by state Sen. Bob Hertzberg, D-Van Nuys, allows any hacker suspected of employing ransomware to be charged with felony extortion punishable by prison sentences up to four years.
The legislation followed more than $200 million in ransomware payments in the first three months of last year, compared with $25 million in all of 2015, according to the FBI. Many cases go unreported. It took the Los Angeles college district five days to announce the attack.
Hertzberg said that, in addition to stiffer punishment for offenders, law enforcement agencies need more funds to hire computer experts, while a culture of institutional secrecy about being hacked must be broken in order to aid investigators.
"This stuff is happening everywhere," Hertzberg said. "My office was hacked while I wrote a ransomware bill. It's costing billions of dollars.
"If you're in government, you're afraid of looking bad. If you're at Valley College, you don't want to admit you have a problem."
(c)2017 the Daily News (Los Angeles)