Give us your money, or your files get it.
Imagine turning on your computer only to be greeted by that message. The computer has been infected with ransomware, a type of malware that locks users out of their data and threatens to make it unusable — either by deleting or encrypting it — unless the college that has been hacked agrees to pay a ransom.
The clock is ticking. Do you pay up?
Los Angeles Valley College did. The community college said earlier this month that it paid about $28,000 in Bitcoin, a digital currency, to an unknown hacker after ransomware locked the institution out of its network, including its email and voice mail systems. It settled on the decision based on an “assessment … that making a payment would offer an extremely high probability of restoring access to the affected systems,” Chancellor Francisco C. Rodriguez said in a statement.
In this case, the assessment turned out to be correct. Since paying the ransom on Jan. 4, the college has restored email and voice mail functionality and worked on unlocking files with code provided by the hacker. That work is still continuing, according to a spokesperson for the college, who stressed that classes started on time.
Others have not been so lucky. Tens of thousands of individuals and organizations that store their data in the online database MongoDB this month found their files had been replaced with ransom notes. Those who have paid have reportedly received nothing in return.
Information security experts say that’s the central risk associated with ransomware, which has been around since the late 1980s but over the last few years has become a more common threat. Do you trust the anonymous stranger holding your data hostage to keep their end of the bargain after paying the person thousands of dollars’ worth of a virtually untraceable digital currency?
“It has to be a case-by-case decision,” said Kim Milford, executive director of REN-ISAC (short for the Research and Education Networking Information Sharing and Analysis Center). In an interview, she encouraged colleges infected with ransomware to ask themselves the following question before deciding whether or not to pay: “Can we carry on with our business without this vital information that is being held ransom?”
Even if colleges go through that deliberation process — weighing the pros and cons of paying the ransom and carefully evaluating the contents of its backed-up files and the effort it would take to restore them — and conclude that paying is the most sensible option, there is still a larger issue to debate, experts say. By paying, colleges may recover their data, but they also sustain the hackers and give them an incentive to strike again. And the ransom may be used to fund further illicit activities.
“What we find in cyberthreats is once somebody shows success, everybody is happy to exploit that success,” Milford said. “If they pay the ransom and it gets publicized, people start targeting them more and more and more. It’s a slippery slope.”
The Federal Bureau of Investigation, responding to an increase in ransomware attacks, last year urged victims not to pay.
“Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” James Trainor, who at the time was assistant director of the agency’s cyber division, said in a statement. “Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Not only are ransomware attacks becoming more frequent, but the attacks themselves are becoming more diverse. Kaspersky Lab, an antivirus software provider, last year found the number of ransomware attacks grew by 17.7 percent between April 2015 and March 2016.
Higher education is by some measures the hardest-hit sector. A study conducted last year by BitSight Technologies, which evaluates companies’ risk and security performances, estimated that 10 percent of colleges have experienced ransomware attacks, significantly higher than government entities (6 percent) or health care organizations (3.2 percent). The study looked at ransomware attacks at about 20,000 organizations.
Many of these cases are resolved quickly and without publicity. Last year, however, several cases made headlines, including attacks at Carleton University and the University of Calgary, two Canadian institutions.
Matthew Kozloski, vice president of professional services for the IT consulting firm Kelser Corporation, said there’s a simple explanation for why ransomware attacks are on the rise: money.
“I hate to say it, but [ransomware is] the easiest way today for hackers to make money,” Kozloski said. “They want you to pay up.”
Attacking an individual can net a hacker a few hundred to a few thousand dollars. Attacking an organization — colleges included — could lead to a larger payday, which may be why attacks on corporate users more than doubled between 2014 and 2016, according to Kaspersky Lab. Individual users are still the most common targets, however, accounting for about 86 percent of all ransomware attacks.
Attacking organizations also raises the stakes, said Brian Calkin, vice president of operations for the Center for Internet Security. For colleges, it could mean losing control of sensitive personal information. For hospitals, it could be a matter of patients’ lives.
“That paints a much larger bull’s-eye on them than there already is,” Calkin said in an interview. The CIS works mainly with public-sector entities, including some public universities.
Milford said the best safeguard against a ransomware attack is a sophisticated backup system, which allows a college to restore its data to a point before hackers locked it away. She also said colleges can’t rely on technology alone to protect against online threats, and that they should educate people on campus — administrators, faculty members, staffers and students — about cyberthreats and how to keep information safe.
But having to turn to a backup means the attack has already taken place. In some cases, paying the ransom may be less of an effort than the time it takes to restore the files, Calkin said. Since ransomware spreads through infected email attachments, phishing attacks that lead victims to unknowingly give hackers access to their accounts and websites exploiting browser vulnerabilities, among other examples, he encouraged colleges to follow best practices such as keeping computer systems updated.
“If at all possible, people should not be paying,” Milford said. “The problem will never go away if people are paying up.”
Give us your money, or your files get it.