Attackers appear to have a continued focus of revenue generation. The attack methodology has evolved from the simple disruption or website defacing for community skill acknowledgement to a more defined, distinct business model. The type of target does not appear to be a matter of significant degree, more so the end goal. Recent breaches have included the Hollywood Presbyterian Medical Center in CA, who had to use paper for the medical records until their ransom was paid ($17k) and a decrypt key was provided. A hospital in the UK was forced to turn away patients and reschedule appointments and procedures. A university in the US also had student files and medical records compromised.
In January 2017, the Los Angeles Valley College (LAVC) as a victim of ransomware and paid the fee. This was an unfortunate event with the college paying $28k in Bitcoins for the decrypt key. In the case if LAVC were not to have paid in a timely manner, all of the affected files and data would have been deleted.
The attack itself was detected with a few hours of the infection, which was still too late for the IT staff to defend the critical files. The curious aspect of this attack was the files and data were located on multiple servers. This acted to only further exasperate the situation. The ransomware, predictably, that took control of the data and other services was also not accessible.
This attack, although significant and devastating, affected many different systems. These included financial aid, email systems, voicemail systems, and the internet system 1,800 students and staff was locked out of. The affected systems were paramount not only to administrative functions and procedures, but also the students.
LAVC had a deadline to comply with. As noted, if this was not followed, the data would have been a significant detriment. The timing was also an issue. The students were returning from spring break and required access to these systems. This highlights an aspect only marginally researched previously-time as a leveraging tool for the attackers. In other instances, time was an issue. For instance, with the other breaches at hospitals, time was an issue to the ongoing inconvenience. With this instance, time was more of a factor with the student’s imminent return.
Generally, if at all possible, the recommended strategy has been to not pay the ransom for a variety of reasons, all viable. A completely viable strategy for the defensive posture has been to utilize back-ups. With a full back-up or dedup in place, ransomware, although traumatic for some and for most a massive headache, is an attack that is completely defendable. Without a diligent back-up process in place and being followed, there is a rather substantial potential for an issue.
In this case the back-ups were not done appropriately. In this case, these were not usable. LAVC consulted with their third party cybersecurity team regarding the incident and steps to follow. The team advised LAVC to pay the ransom for the decrypt key based on their analysis. Post-ransomware payment, the key was provided and decryption process started. This is fine and the payment enticed the attackers to provide the decrypt key, however does shed the light on the importance of diligent, verified back-ups for the entity.
Ashford, W. (2017, January 12). US college admits paying $28,000 ransom to cyber attackers. Retrieved from http://www.computerweekly.com/news/450410825/LA-college-admits-payming-28000-ransom-to-cyber-attackers
Dunn, J.E. (2017, January 10). US college pays $28,000 to get files back after ransomware attack. Retrieved from https://nakedsecurity.sophos.com/2017/01/10/us-college-pays-28000-to-get-files-back-after-ransomware-attack/
Kumar, M. (2017, January 10). Los Angeles college pays hackers $28,000 ransom to get its files back. Retrieved from http://thehackernews.com/2017/01/ransomware-malware-attack.html
Rocha, V. (2017, January 11). Los Angeles college pays $28,000 in bitcoin ransom to hackers. Retrieved from http://www.latimes.com/local/lanow/la-me-in-los-angeles-valley-college-hacking-bitcoin-ransom-201701111-story.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!