While Los Angeles school officials said Tuesday they have not received a ransom demand since their computer system was hacked over the holiday weekend, experts say blackmail is typically the reason for cyberattacks.
The objective for some hackers is to simply cause chaos — sometimes for political reasons — but most of the time they are trying to get paid, demanding a ransom to unlock the disabled computer system or refrain from leaking sensitive data, cybersecurity experts say.
“The bottom line is the attackers are really just looking to make money, that is their job,” said Tyler Hudak, a security expert for the Ohio-based TrustedSec firm.
“I’ve seen ransoms paid in the low five figures to millions of dollars,” Hudak said. “Nobody is publicizing whether or not they are paying.”
In 2021, hackers caused the shutdown of oil from the Colonial Pipeline, which supplies half of the fuel used by the East Coast. The company paid $4.4 million in ransom to a suspected Russian-based group called DarkSide to restore its system, according to news reports. Federal law enforcement was able to recover $2.3 million in bitcoin from the attackers, reports said.
The cyberassault was on the pipeline’s billing system and didn’t affect operations, but officials turned off the oil flow to keep the virus from spreading. The shutdown hampered commercial air flights and drained gas stations in Florida, Georgia, Virginia, North Carolina and South Carolina. Panic-buying motorists lined up at gas stations and had to be warned against putting fuel into plastic bags.
The attack was so massive that President Joe Biden declared a state of emergency. The pipeline was turned back on after six days.
In Chicago, hackers hit the public school system, stealing four years worth of data for nearly 500,000 students and almost 60,000 employees. However, no private financial information was obtained, according to news reports. The breach was reported in April but actually occurred in December to a vendor used by Chicago Public Schools.
Last year, two Southern California school districts, in Newhall and Rialto, were hacked as well, disrupting operations, according to the Los Angeles Times.
“It happens more frequently that we could count,” said Scott Ray, chief operating officer of Denver-based NexusTek, an IT service. “That’s the reason cybersecurity companies are growing like crazy.”
Hacking for money happens so often that it has spawned an industry of “ransom negotiators” for computer systems, experts say.
At Los Angeles Unified, experts say the district is probably still trying to figure out the extent of the damage and how it happened. “They may not know how much trouble they are in,” Ray said.
By Tuesday afternoon, school officials said the digital attendance reporting system was back online and classes were operating as scheduled.
The Los Angeles hack was discovered on Saturday of Labor Day weekend. Holidays are an especially ripe time for cyberattacks.
“(Attackers) know IT staff will be thin and the reaction will be delayed,” Ray said.
Sometimes hackers will enter by obtaining a VPN password to access the system from off site. It is rare, but sometimes an attacker will get the password from a disgruntled employee, experts say.
“You just need one person to give you access and an attacker can get pretty deep into the organization,” Hudak said.
Once in, the attacker will run a program on the compromised computer system to encrypt important files. A ransom will be demanded to unlock the encrypted files. Hackers also will look for valuable data that can be sold or held hostage for a price. Sometimes they’ll look for insurance policies to get an idea of how much insurers will pay.
“They’ll explore the house” like a burglar, Ray said.
Experts say hackers typically have entered their targeted system long before the attack is discovered. Their preparations could send up red flags — provided someone is watching.
Sometimes the attackers will leave behind an internet address, but nearly all the time they are anonymous, experts say.
Hudak said one way to track hackers is on “the dark net.” Typically, the hackers will post the names of victims who refuse to pay the ransom or they’ll leak out partial data as a motivator.
In the end, Hudak said, no system is impenetrable.
“Everybody eventually gets compromised,” he said. “Part of the whole protective tactic is to assure everybody you will have the right people watching for suspicious activity.”