School hack

Ransomware-affected school district refuses to pay, gets stolen data released

Data stolen from Los Angeles Unified School District has been leaked online, after staff refused to pay the ransom related to a ransomware attack. The attackers threatened to release the data if the ransom wasn’t paid, and so release it they did.

The double extortion tactic

Threatening to release data if the ransom isn’t met is what’s known as double extortion. A standard ransomware attack asks for payment in order to release the hijacked, encrypted files. If the victims don’t pay up, the files are simply left locked up forever as the attackers vanish into the mist never to return.

Criminals quickly realised they have more chance of payment if they make additional threats, like leaking the stolen data, selling it on, or even hitting the target with DDoS attacks to knock out their systems and networks. This constant ramping up of pressure can make even the steeliest of nerves buckle. This is especially true if the data is sensitive, or business critical and not for public consumption.

However, if criminals assume all victims faced with double or even triple extortion would simply pay up, they’re very much mistaken. We’re seeing a tough line being taken by impacted organisations, and payouts are not guaranteed.

Making a statement

In this case, the first sign of data leakage trouble came in the form of a statement released on Friday by the LA Unified Schools District. Key points from the statement read as follows:

“As Los Angeles Unified continues to deal with the cyberattack, we recently learned that the criminal organization plans to release illegally obtained Los Angeles Unified data online.

We are diligently working with investigators and law enforcement agencies to determine what information was impacted and to whom it belongs. This incident is a firm reminder that cybersecurity threats pose a real risk for school districts across the nation. Los Angeles Unified is not the first public school district that has been targeted and unfortunately, it will not be the last.

At this time, we do not believe that employee healthcare and payroll have been impacted, and safety and emergency mechanisms remain in place.”

This messaging was reinforced by the Los Angeles Unified Twitter account on September 30.

The inevitable did indeed happen, and the data is now being leaked.

Don’t go rushing to pay out

Paying a ransomware attacker doesn’t guarantee the stolen data will be unencrypted for you, nor does it mean the data won’t be released. It’s hard to trust that what a criminal says is, in fact, the truth.

LA Unified made it clear that money would be better spent elsewhere. This is a very valid point. Whether by accident or design, files are frequently not returned to the victims. Sometimes it’s because the decryption tool doesn’t work. Other times, it’s because the criminals have no intention of ever returning the data. It can even be the case that between payment and file decryption, the criminal network is shut down and, as a result, there’s no way to recover the files.

Updated details appear to show that some sensitive data was included in the leak, and people should be on their guard for potential social engineering and phishing attacks. As far as the impacted schools go, the message loud and clear.

No payments, no matter what.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.