Should schools pay ransoms? Here are 3 scenarios to look out for

"There is no honor among thieves," says James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI.

Your district may be the next victim of a cyberattack initiated by an increasingly threatening criminal organization known as Vice Society. If that day were to come, would you be ready?

The group most recently targeted the Los Angeles Unified School District, the second-largest in the country, with a ransomware attack. The district had one month to decide whether they would pay the ransom or risk having their confidential data leaked. Ultimately, Superintendent Alberto Carvalho refused to capitulate to the group’s “insulting” demand, resulting in the release of their data. Carvalho explained that his reasoning for doing so was that paying a ransom doesn’t guarantee that all of the data won’t be compromised, and he is absolutely correct.

James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI, outlines three scenarios schools should look out for as they address a ransomware attack.

Scenario 1

Assuming your school system has access to a crypto-currency account and can purchase a decryption key, keep in mind that a portion of the data will be unrecoverable. “There is no honor among thieves,” he says. A growing trend among most ransomware groups, he explains, is that they will always fall short of their demands in some regard.

Turgal says that on average, schools will lose around 26% of their data, even after they’ve purchased the decryption key. “Data loss occurs either because of how the ransomware was deployed or the network design,” he says.

Scenario 2

One of the more obvious situations a district might face is the classic scam, and schools should tread lightly. As Carvalho said regarding Vice Society, “We’re not about to enter negotiations with that type of entity.”

Turgal says that organizations will often demand a ransom from their target, receive the payment and never provide a decryption key because they never intended to.

Scenario 3

This is where it gets tricky. Your district’s decision to purchase a key might only stir up more trouble.

“The third scenario is when a victim pays the ransom and receives a decryption key, but the decryption key deploys new malware,” he explains.

Additionally, hackers sometimes use a tactic known as “piecemealing” to potentially rob schools of even more money. “Threat actors will piecemeal the stolen data and issue a ransom demand for the decryption key, and then issue subsequent ransom demands for not disclosing or releasing separate tranches of the data, which can end up in double and sometimes triple extortion,” he says.

More from DA: In wake of parents’ outrage, Uvalde CISD fires police officer within 24 hours of hiring her

Should schools pay off ransoms?

With these scenarios in mind, it’s important for districts to understand that while negotiation with criminal actors is seen as a business decision, it should not be based on the district’s financial resources.

“It should be based upon factors such as the extent of the damage to their network ecosystem, their forethought in having dedicated back-up and recovery systems that are not susceptible to becoming tainted and encrypted during the attack, and their ability to isolate the damage inflicted during the attack so that portions of their ecosystem are still available to operate their business,” Turgal says.

As discussed in the previous scenarios, he adds, there are little, if any, positive outcomes to paying a ransom. “Paying the ransom will not stop the threat actors from still releasing the stolen data they exfiltrated and/or selling it on the Dark Web to the highest bidder,” he explains.

Paying ransom increases vulnerability

In the event of a cyberattack, always cleanse the system’s network ecosystems. Failure to do so, Turgal says, will likely lead to further attacks.

“I have worked hundreds of cases where victims of ransomware attacks pay the ransom, use the decryption key to recover most of their data, and then do nothing to cleanse their network ecosystems of the ransomware payload and code, only to be victimized by the same group six-18 months later,” he says.

Furthermore, opting to pay ransom may reveal to other criminal groups that your district is willing to negotiate.

“Certainly, paying the ransom shows the threat actors that you are willing to pay the ransom, which could lead to attacks from other affiliated groups,” he says. “But more likely than not, the original attacker will be more likely to victimize the company again and again if they fail to cleanse and rebuild fresh systems that don’t include the original vulnerabilities.”

Secondly, he warns schools that paying a ransom to any prohibited organization on the Office of Foreign Assets Control list could lead to civil or criminal liability for the company and key executives. “The question of whether or not to pay the ransom must also be looked at through the lens of any regulatory body over the victim company and also the list of prohibited organizations,” he says.

Preventing cyberattacks

In a previous interview with District Administration, Turgal addressed the power of information and why it’s important for smaller districts to band together. Schools should join The K12 Security Information eXchange (K12 SIX).

“It is basically an information-sharing exchange for K-12 types of schools,” he said. “I’ve been involved throughout my FBI career in a number of different information-sharing and analysis centers, and it’s basically that industry getting together and sharing data about the tactics, techniques and procedures that they’re being attacked with.” Doing so, he says, allows law enforcement agencies that are also members of these groups to identify and respond to these incidents.

First and foremost, however, schools should identify any flaws in their security network. Doing so will help districts protect their most valuable data.

“The first thing you have to do is understand what are the vulnerabilities and gaps on your networks in your ecosystem,” he said. “Have a cyber-risk assessment done. Very first thing. Because once you know, you now have a roadmap so you know what those vulnerabilities and gaps are. You can then prioritize, ‘O.K. what’s the most important data I’m trying to protect?'”

Micah Ward
Micah Ward
Micah Ward is a District Administration staff writer. He recently earned his master’s degree in Journalism at the University of Alabama. He spent his time during graduate school working on his master’s thesis. He’s also a self-taught guitarist who loves playing folk-style music.

Most Popular