The University of Calgary, Canada has paid around $20,000 CDN (AUD $21,000) to salvage data held captive by crypto-ransomware attackers.
In a statement released on Wednesday, the university said it paid the ransom as part of its effort to recover systems affected for the past 10 days by the cyberattack.
Linda Dalgetty, Vice-President, Finance and Services for Calgary University said the university had received decryption keys however stressed the university was unsure whether affected systems and data could be recovered.
“The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care,” said Dalgetty.
“It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time,” she added.
The university’s IT department was able to isolate the attack and had recovered some systems, including the university’s email server, which staff and faculty were able to use again on Monday.
Most security experts and law enforcement advise ransomware victims not to pay the ransom since it only emboldens the attackers. However, the university decided to pay in order to protect its researchers’ work, which may have also been encrypted.
CBC News quoted Dalgetty at a press conference on Tuesday as saying that it paid the ransom “solely so we could protect the quality and the nature of the information we generate at the university.”
"We did not want to be in a position that we had exhausted the option to get people's potential life work back in the future if they came today and said, 'I'm encrypted, I can't get my files,’".
The university has not said how it paid the ransom, though Bitcoin is commonly required in order to maximise anonymity for the attacker.
The Calgary Police Service is investigating the incident.
The incident comes just two months after Canadian authorities released a joint alert with the US Department of Homeland Security over the Locky ransomware. Locky has often arrived in spam containing malicious macros or JavaScript files that download the ransomware.
The warning followed a number of attacks on hospitals and healthcare facilities, including an a medical centre in Los Angeles which in February paid US$17,000 to recover files encrypted by ransomware.
The FBI estimates that ransomware victims in the US alone have paid $209 million in the first quarter of 2016, compared to $25 million in all of 2015, according to a recent report from the LA Times. In other words, it has the potential to be a $1 billion business in the US alone.
Historically malware has targeted banking credentials and other online credentials, which attackers can monetise by either using the data to break into online accounts themselves, or by selling data for others to work on.
Ransomware arguably has a better monetisation model: pay up directly within a few days or lose your data.