author photo
By Bruce Sussman
Wed | Dec 2, 2020 | 4:00 AM PST

A company that has powered online learning for more than 1 million students just disclosed it paid a ransom demand to hackers.

K12 Inc. issued an unusually detailed statement to investors about the cyberattack, its decision to pay the ransom, and next moves by the online education provider.

What happened in this K12 ransomware attack

What happened in this ransomware attack? For starters, the company says hackers did not gain access to its Learning Management System (LMS), which delivers educational content and classes to its students. 

However, the ransomware operators worked their way into some very valuable data and stole it:

"We do believe that the attacker accessed certain parts of our corporate back-office systems, including some student and employee information on those systems, but it will take further time to determine the scope of the information accessed."

The cybercriminals who deployed the ransomware threatened to publish that confidential data about students and teachers. The only way around the publishing of the data was to pay the attackers. 

"We carry insurance, including cyber insurance, which we believe to be commensurate with our size and the nature of our operations. We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed."

Which of the ransomware gangs or groups hit K12 Inc. and its network in this cyberattack? The company is not saying, but they know who it was and evaluated that cybercrime group's track record before paying.

"While there is always a risk that the threat actor will not adhere to negotiated terms, based on the specific characteristics of the case, and the guidance we have received about the attack and the threat actor, we believe the payment was a reasonable measure to take in order to prevent misuse of any information the attacker obtained."

Should you pay the ransom in a ransomware attack?

If you organization is hit by a ransomware attack, should you pay? One consideration may be how your company is perceived. Check out these comments from the MarketWatch story about K12's decision to pay:


Clearly, paying the ransom won't win you any popularity contests. But could it make sense from a business perspective to protect your data and the people tied to it? Or to shield your organization from future litigation?

This topic came up during a virtual SecureWorld conference when data privacy attorney Daniel Pepper presented on ransomware and digital extortion.

"If you talk to law enforcement about ransomware and asking them whether or not you should pay the ransom, typically the FBI will tell you well, we don't advocate paying but they understand the businesses or businesses and they have to evaluate all their options to protect themselves," Pepper says.

According to Pepper, here are just some of the considerations that go into a decision to pay a ransom:

"Once an organization is hit, what do we think about? Number one, we're going to want to think about the viability of the backups? Not only do we have backups but also have we tested them? How old are they? Can we restore from these backups? How long? Or how much will it cost us?

If we're going to be down for a week or more is revenue going to be impacted? Is customer satisfaction going to be impacted? Are relationships with other partners going to be impacted? And what are the costs of that? We want to think about what those costs are against the demand of the ransom from the threat actor. What data is encrypted or stolen? Is it critical? Is it sensitive? Is it personal information?"

Relying on cyber liability insurance during a ransomware attack

As we've reported often at SecureWorld, insurance companies are often happy to pay the ransom because it can be cheaper than restoring systems and defending lawsuits over stolen data. In fact, ransomware became the number one type of cyberattack claim insurers dealt with in 2020.

And Pepper says there are key benefits to working with your cyber insurance carrier and having that type of coverage:

"Cyber liability insurance is very, very effective, especially if you're hit with a large ransomware demand. Most cyber policies will cover the payment and also restoration costs and other forensic costs."

What can happen if you don't pay the ransom? See our story Baltimore, $18 Million Later: 'This Is Why We Didn't Pay the Ransom.'

In the case of K12 Inc., the company does have some positive news for investors after paying the ransom:

"Based on the information currently known and our investigation to date, we do not believe the incident will have a material impact on our business, operations or financial results."

[RELATED: Schools Extend Holiday Break Following Ransomware Attack]

[RELATED: SecureWorld virtual conference schedule]

Tags: Ransomware,