Summary

The scourge of “ransomware”—malicious computer viruses that prevent entities from accessing their own data until they pay a ransom—has spread to the higher education sphere.

In early January 2017, a California public community college system paid a $28,000 ransom to cyberattackers who had encrypted the institution’s data, rendering the college’s systems inaccessible. The attack on Los Angeles Valley College was detected on December 30, 2016, when a virus locked network functions (including voicemail and email systems). To restore functionality, college officials decided to pay the ransom, in bitcoin, after consulting with the college’s information technology staff, cybersecurity experts and law enforcement. In return, the attackers delivered a “key” used to unlock institutional data. The college’s website, email and voicemail were restored the following day.

Higher education institutions have taken different approaches to dealing with ransomware attacks. Some institutions, like Los Angeles Valley College, have chosen to pay the ransom to prevent extraordinary losses of data. In June 2016, for instance, the University of Calgary paid $20,000 (Canadian) a week after an initial attack on its servers. Other institutions have refused to pay: in November, Carleton University in Ottawa refused to pay cyberattackers after being hit by ransomware, and it was able to slowly bring its systems back online. In addition, in September 2016, the University of Southern California hospitals were able to restore their encrypted data without paying any ransom.

These recent attacks underscore the fact that colleges and universities are not immune from cyber threats—indeed, they increasingly are becoming targets for attacks—and should take steps to protect themselves and their data from malicious entities. If an attack occurs, institutions should be aware of their options in order to chart the best course of action.