Valley College struggles to recover from brute force ransomware attack, costs expected to exceed $250,000
By D.R. Harward
The Los Angeles Community College District ushered in the new year facing a new kind of threat straight out of cyberspace known as ransomware and costs to restore the computer systems at Valley College are expected to exceed $250,000.
In the final days of 2016, the computer network at Valley College was infiltrated, disabled and held hostage by an anonymous group of criminals who demanded that a ransom be paid or the information being held hostage would be lost forever.
College administrators weighed the cost of replacing the on-campus network together with the loss of irreplaceable information and decided to pay the ransom of nearly $28,000. After almost a month, over 20 percent of the affected computers remain unusable and costs continue to accrue.
College I.T. Manager Hanh Tran said her staff has been focused solely on restoring the encrypted files, but in just a single server, the number of files is staggering and with 71 of the 124 servers at the school being disabled, the task becomes exponentially more daunting and time consuming.
However, Tran did have some good news to report; “It was confirmed this morning that no data collection had occurred.” she said in reference to the security of sensitive personal information about students, faculty and staff.
Tran also revealed that only the email and website servers had been exposed to the hackers—the Student Information System, which contains sensitive personal information about students and staff, is not kept on-site and therefore had not been available for the intruders to exploit.
Virtual extortion has gone viral in the 21st century, costing companies over $400 billion last year according to insurer Lloyd’s of London. The F.B.I. has stated that ransomware has become a significant threat to U.S. businesses and that the number of victims has grown substantially in the last three years.
According to the F.B.I, the initiation of an attack typically occurs when someone clicks on an infected advertisement, e-mail attachment or visits a compromised website. The ransomware then proceeds to encrypt important files and documents, rendering them unreadable unless a ransom is paid.
The execution of the robbery at Valley differs from other ransomware attacks in that it did not rely on the ignorance of someone to inadvertently click on an email attachment or to visit an infected website to provide access for this breed of hackers. Instead, a “brute-force attack” was used to break into the network over the extended Christmas weekend.
Attacks of this type often involve using exotic, but readily available, software to guess the passwords of the system. Weak passwords are the most susceptible to these types of attacks and those at Valley did not to fit in with current security standards.
Prior to the attack, the LACCD password policy was not enforced, each college essentially created its own policy, leaving a patchwork of practices across the nine campuses in the district.
In light of this recent attack, the district has issued a new directive to reestablish their stricter password policy, which according to Tran, will be instituted on Friday, Feb. 10. These protocols require much longer passwords that must be changed at biannual intervals, for all staff and faculty members—this will not affect student passwords, Tran said.
In response to a reference to the theory that an employee might have provided access into the network, Erika Endrijonas, the president of Valley College, said:
“ This was not from an email, this was not somebody just randomly clicking on an email. This is what is called a brute-force attack and it went through one of our servers.”
In an exclusive interview with the Star (portions of which may be listened to-just click Play in sidebar) Endrijonas described the unfolding of the incident .
It began on Thursday, Dec. 29 when she began having trouble accessing her email account . She sent a text message to Tran, who immediately began to investigate. Although Dec. 29 is the date that the problem was first noticed , it is believed that the system was breached over the long Christmas weekend.
The next day, Tran sent an email to Endrijonas stating that their servers had a “pretty bad virus” and that they were working to figure it out. Identifying the culprit was difficult due to the nature of the assault the school was experiencing; ransomware attacks seize control of computers and render them useless by installing a program that hopelessly scrambles the 99.9 percent of the data on the hard drive unless you have the right decryption keys. The keys are what is held for ransom.
The following day, New Years Eve-2016, Tran indicated that the problem was being caused by ransomware, a conclusion based on a ransom note that had been found in a file, which had been left unlocked on one of the affected servers. Because Endrijonas was in transit, and also because it was a holiday, it wasn’t until the next morning that formulating a plan to neutralize the threat began.
Saturday morning, Endrijonas got her first look at the ransom note that had been discovered. The note explained that “All your files encrypted with RSA-2040 encryption” and that a private key is required to restore access to the computers affected.(an image of the entire ransom note may be viewed-see sidebar)
A ransom demand offered several options to tender payment in bitcoins (an untraceable electronic currency). One option was to pay 1.7 bitcoins per computer; another offered the keys for “All affected PC’s” in exchange for a payment of 28 bitcoins. Bitcoin is a decentralized digital currency that is unregulated and not issued by any central bank or government, rendering it essentially untraceable.
Like traditional currencies the value of a bitcoin fluctuates frequently, as of press time the exchange rate is: 1 bitcoin = $1017.94 USD. The note concludes with an ultimatum; “pay in seven days or it will be impossible to recover the files.”
LACCD headquarters was contacted immediately, as was local law enforcement. Soon federal law enforcement, insurance companies and cyber security consultants, Crypsis, were all involved in meetings and conference calls over the next few days. A consensus was reached to pay the demanded ransom and on Jan. 4 a payment of 28 bitcoins (equivalent to $28,000) was made.
That same day, the first public notice about the incident was released. The effectiveness of the notice, particularly that which appeared on the main page of the school website (www.lavc.edu) has been called into question by some staff and students. In particular, the description of the matter as a “Cybersecurity Event” which was misconstrued by some as being a reference to an on-campus gathering of some sort.
Endrijonas said regarding the decision to use the ambiguous term “Cybersecurity Event”, “that was on the advice of PR people that were hired by the District, that was not our choice of words.”
By Jan. 5, the decryption keys had been obtained by the college. In a “January Update” from Endrijonas, she states that 14 servers remain offline and that they should all be “back up” by the end of February.
Questions about why back ups were not used to restore the locked files have been raised by some critics.
“ Their first keystroke was to delete our backups, locking them down, and then locking down the rest of the servers. But it is not that we didn’t have backups, it’s that the way we were doing backups, because the way that our system was set up they were able to get in and find them, and delete them.”
It had been previously reported by the Star that the $28,000 in ransom money had been paid by an insurance company with whom the LACCD had an insurance policy against such attacks, but according to Endrijonas that is not quite the case. When asked if the insurance company paid the ransom, she said:
“Well, there’s a $250,000 deductible on the insurance policy, by the time we finish this we will have exceeded the $250,000, so at some point they (the insurance company) kick in…between doing new servers, and the human capital we’d need and the specialists we’d need and all that.”
She went on to clarify that the expenditures associated with the attack were coming out of the LACCD budget and that Valleys’ budget would not be impacted.