Cyber Incident Victim: Los Angeles Valley College
Date:
Dec 2016
Location:
United States of America
Summary
Los Angeles Valley College paid a $28,000 bitcoin ransom after ransomware encrypted its computer networks, email systems, and voicemail services. External cybersecurity experts advised payment to likely restore access, funded through a cybersecurity insurance policy, while non-payment risked permanent data loss. Following the transaction, attackers provided a functional decryption key enabling partial system recovery, though restoring files remained a prolonged process. Investigations confirmed no data breach occurred but remained ongoing. The incident reflects broader ransomware trends impacting institutions like hospitals, where payment is often justified despite ethical concerns due to high restoration success rates.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2016, Los Angeles Valley College (LAVC) experienced a ransomware attack that encrypted its computer networks, email systems, and voicemail lines. The attack occurred just before New Year's Eve, with hackers infiltrating the college's systems and leaving a ransom note on its servers. The note demanded $28,000 in bitcoin within seven days, threatening permanent deletion of private keys required for file recovery if unpaid. Attackers provided detailed payment instructions, including a demonstration feature allowing the college to upload two encrypted files for decryption as proof of capability. As part of the Los Angeles Community College District (LAVCD), LAVC activated its cybersecurity insurance policy to fund the ransom payment. External cybersecurity experts advised college leadership that paying offered a "high probability" of system restoration, while refusal would "virtually guarantee" irreversible data loss. LAVC President Erika Endrijonas authorized the transaction following this assessment.
After the bitcoin payment was made, hackers provided a decryption key that successfully unlocked files during initial testing. Restoration efforts proved time-intensive due to the need to decrypt hundreds of thousands of affected files across multiple systems. College officials confirmed no evidence of data exfiltration or breach beyond the encryption itself, though investigations involving law enforcement remained ongoing at the time of reporting. The incident disrupted campus operations, requiring extensive IT recovery efforts. This attack mirrored broader ransomware trends affecting critical infrastructure, as evidenced by a February 2016 incident where a Los Angeles hospital paid $17,000 in bitcoin to resolve a Locky ransomware infection. Cybersecurity expert Troy Hunt noted the growing justification for ransom payments based on return-on-investment calculations, despite ethical concerns. The college maintained its insurance coverage mitigated financial impacts, though the event highlighted operational vulnerabilities to disruptive cyber extortion campaigns targeting educational institutions.