Los Angeles Valley College (LAVC) is surely glad it had cybersecurity insurance as it was hit with ransomware on New Year’s Eve. It’s unclear how much of the $28,000 ransom will be recovered via insurance, but the college made the decision to pay.
A ransom note, left on one of the college’s servers, read:
You have 7 days to send us the BitCoin after 7 days we will remove your private keys and it’s impossible to recover your files
According to the college newspaper Valley Star, the ransom note also included step-by-step directions for how to purchase bitcoins and make the extortion payment, as well as a demo to test the decryption process. “Check our site, you can upload two encrypted files and we will decrypt your files as demo.”
Although the San Fernando Valley community college believes it was “randomly targeted,” the ransomware infection “disrupted many computers, online, email and voice mail systems.”
The decision to capitulate and pay came after the district consulted “outside cybersecurity experts and law enforcement.” LAVC president Dr. Erika Endrijona explained (pdf), “It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost.”
Sure enough, the cyber thugs delivered a decryption key after the college coughed up the $28,000 ransom demand. The LA college described the “process to ‘unlock’ hundreds of thousands” of files as “a lengthy one,” but the “key has worked in every attempt that has been made.”
The attack probably forced the college to come up with a New Year’s resolution pertaining to backups. Rebuilding from backups is not instantaneous, but it beats having no backups at all.
When a Montana school district was hit with ransomware, Matt Jensen, superintendent of the 900-student Bigfork public schools, wasn’t thrilled with the prospect of rebuilding from backups; but at least it had some backups. The school’s network was backed up twice, so even though the on-site servers were compromised with ransomware, the off-site backup was not. He refused to pay. “We weren't going to negotiate with them," he said. There’s no guarantee the attackers will decrypt the data and paying “would only empower a criminal group.”
“Ransomware is a proven extortion method. We can expect new variants to continue entering our infrastructures in 2017 and more frequently,” said Michael Patterson, CEO of Plixer. He advised, “Security teams need to run fire drills on critical systems to determine how quickly they can return to normal business operations from backups Vs just paying the ransom and moving on. Companies need to be ready, as this threat is growing and our recourse options are very limited.”
New sophisticated Spora ransomware
Speaking of new ransomware variants, Emisoft described a new ransomware, dubbed Spora, that is capable of working offline; it does not need to communicate with a command and control server to encrypt files.
Emisoft wrote, “A couple of things immediately caught our attention: Firstly, the presentation and the interface itself have a professional, almost beautiful, look. Secondly, and unlike other ransomware, the ransom it asks for seemed comparatively low.”
A victim becomes infected by opening a zipped email attachment that contains an HTA file, which is a HTML application. If a user hasn’t enabled “show hidden files, folders and drives” in File Explorer options, then all he or she might see is something like Invoice.doc – entirely missing the real hidden extension of .HTA; in this example it could be Invoice.doc.hta.
After opening the zipped file, Word or WordPad will open with a fake corrupt document warning, presumably to trick victims into believing there’s nothing suspicious about it. Meanwhile, a second file which is actually the ransomware starts encrypting data.
The ransom is set by an automated process, but the actual amount depends upon how many encrypted files the attackers deem to be valuable.
While primarily in Russian, Emisoft showed an English example of the Spora ransom demand.
Bleeping Computer noted that victims are required to enter the ransomware infection ID on the attacker’s site to login to the Spora decryption process. Next the .key file must be loaded to “synchronize” a computer with the decryption portal.
The attackers, Emisoft added, do offer a customer support messaging system. “You can choose to only recover your files or pay for removal of the ransomware and immunity from future attacks at an extra cost. This is something unique to the Spora ransomware, as we have not seen anything like this before.”
As of right now, Emisoft said, “Unfortunately, after evaluating the way Spora performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key.”
Keep backups, sooner or later, you will be glad you have them.