Executive Summary
At the beginning of September 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that a ransomware gang named Vice Society was targeting the education sector. The advisory stated that they expected an increase in attacks after the start of the 2022/2023 school year due to cyber criminal groups seeing opportunity.
When the FBI and CISA issued the advisory on September 6, 2022, the Los Angeles Unified (LAUSD) school district announced that they were victims of a ransomware attack that took down some of their Information Technology systems. The district is the second largest school district in the U.S. and enrolls more than 640,000 students. At the time, a threat actor couldn’t be attributed to the attack, but later we would discover that the attack was the work of Vice Society.
In June 2022, Avertium published a Threat Intelligence Report regarding the top five cyber threats in education. In that report, ransomware was named as the number one threat and attack vector. Although the report was geared toward colleges and universities, the same holds true for K-12 education. In July 2022, Sophos conducted research and issued a whitepaper on the State of Ransomware in Education for 2022. The report included 320 respondents from lower education. Sophos discovered that 56% of the lower education organizations and 64% of the higher education organizations surveyed were hit by ransomware the previous year.
Also, lower education saw an increase in the volume of cyber attacks, as well as an increase in the complexity of cyber attacks. The report further stated that education has a low rate of cyber insurance coverage for ransomware. Threat actors like Vice Society know that the sector struggles in this area and it is likely a driving force behind their attacks on schools. Let’s take a look at Vice Society, their tactics and techniques, and how lower education school districts can better protect their cyber environments.
As previously stated, at the beginning of the 2022/2023 academic year, Vice Society launched a ransomware attack against the second largest school district in the U.S. – LAUSD. The attack took place over Labor Day weekend and disrupted LAUSD systems, including email servers. After the breach, LAUSD contacted officials including the White House, the Department of Education, the FBI, CISA, and the Department of Homeland Security.
Image 1: Tweet from Los Angeles Unified
Despite the disrupted LAUSD infrastructure, the district opened as usual while it worked to restore their servers. At this point, LAUSD was not sure of what kind of data was stolen, or if data was stolen at all. However, it didn’t take long for Vice Society to claim responsibility for the attack. A Vice Society representative told Bleeping Computer that they stole 500GB of data from LAUSD’s systems before encrypting them with ransomware, but they didn’t want to provide proof until they published an entry on their data leak site.
During that time, LAUSD made statements saying that their task force was making progress towards stabilizing their core information technology services. They also asked all district employees and students to reset their @LAUSD.net account credentials in person at a school site. The district also began a rollout of their multi-factor authentication process. The school district stated that it planned to establish an independent task force to review their system audits to determine how they were breached in the first place.
Image 2: Tweet from LAUSD
By October 2022, Vice Society published around 500GB of stolen data about students and employees of LAUSD. This was done in response to the school district’s superintendent stating that they would not be paying the demanded ransom (ransom amount is still unknown).
Image 3: Tweet from LAUSD Superintendent
Alberto Carvalho told the Los Angeles Times that the district was not going to pay the ransom to prevent data from being leaked because it was not a guarantee that the hackers wouldn’t end up leaking the data anyway. The district believed that the money could be put to better use such as funding different needs for students and their education.
Carvalho confirmed that the data was leaked and encouraged parents and student to ask questions about the leak through a new hotline. Vice Society has attacked at least eight other U.S. school districts and higher education institutions in 2022.
According to CISA, Vice Society is an intrusion, exfiltration, and extortion ransomware gang that initially appeared in the summer of 2021. Despite it being a new ransomware group, the gang is not using a new ransomware variant of unique origin. Vice Society is known for deploying versions of Hello Kitty, Five Hands, and Zeppelin ransomware. However, this does not mean that they will not deploy other ransomware variants in the future.
Vice Society obtains initial network access through compromised credentials by exploiting internet facing applications. Before deploying their ransomware, Vice Society explores their victim’s network to identify opportunities to increase accesses and to exfiltrate data for double extortion. The group has also been seen using several tools, including PowerShell Empire, SytemBC, and Cobalt Strike for lateral movement.
After the group achieves initial access, they use several techniques to conduct post-compromise discovery and reconnaissance within their target’s environment. While analyzing one of the group’s attacks, Cisco Talos observed Vice Society attempting to access the backup solution employed in their victim’s environment. The group likely performs this action to try and prevent their target from successfully recovering from an attack without paying the demanded ransom. According to Cisco Talos, the following “sudo” command was used to obtain credentials associated with a commercial backup solution to gain access to an organization’s backups.
sudo -s -k -p [Backup Prompt] whoami
Cisco Talos also observed the threat group using Impacket – a network protocol manipulation tool. The tool is used to enumerate the victim’s environment and obtain further information about the Active Directory configuration in place. Vice Society likely uses Impacket to identify high-value targets. The threat actors also use Impacket to execute Windows Management Instrumentation to achieve command execution on other systems present in the environment.
Additionally, Vice Society has been observed exploiting the PrintNightmare vulnerability. In August 2021, PrintNightmare (CVE-2021-34527) was a Microsoft vulnerability that affected the PrintSpooler service – a service that runs on every computer participating in the Print Services system for Windows-based print clients. PrintNightmare has been an issue for Windows users since 2021 and continues to be exploited by several threat actors.
In addition to exploiting PrintNightmare, Vice Society attempts to extract credentials from their victims in two ways:
To evade detection, Vice Society attempts to clear security log contents on compromised systems. They will also try to remotely modify the Windows Registry on remote systems to disable remote administration restrictions. This action allows the threat actors to leverage “pass-the-hash” attacks and hinder RDP’s security systems. Vice Society has also attempted to use AMSI bypass to evade detection by endpoint security solutions.
Image 4: Vice Society Ransomware Note
Source: Tripwire
Unfortunately, cyber attacks are common at the start of every school year. Threat actors have made it a habit to target schools during the first few weeks of classes because they know that teachers and administrators are overwhelmed with the hustle of a new year, emails, and other online tasks. However, there is a bigger picture here – LAUSD is not a small school district that lacks resources, yet they were still breached. The district has more than 600,000 students from more than 1,000 schools within the district.
Not every school district in America has the resources to defend themselves against a ransomware attack. In July 2022, Cedar Rapids Community School District in Iowa actually paid the demanded ransom to a threat actor so they could regain access to their systems. The school’s superintendent stated the following:
“As part of the process to resolve this matter, CRCSD made payment to a third-party entity to ensure critical information that may have been accessed was not released," Superintendent Noreen Bush wrote Friday in a letter to parents. "We made this decision after consulting closely with cybersecurity experts and legal counsel and determining it was in the best interest of our school community.” Superintendent Noreen Bush – Govtech.com
As a result of the attack, the district experienced disruption to their computer systems and had to shut down some of their operations for a few days just as the school year was starting on August 3, 2022. The district had to work with their internal IT staff, as well as third-party vendors to make sure something similar did not happen in the future. The ransom amount was not disclosed nor was the name of the ransomware gang, but the breach impacted over 750 students.
Personal information such as names, addresses, social security numbers, and driver’s license numbers were exposed from the breach. The district stated that they would offer a free year’s worth of credit monitoring services to help protect the impacted individuals. This is a good example of threat actors attacking districts at a time when they know they will be vulnerable. Attackers need this kind of personal data because they know how valuable it is if they attempt to sell it on the dark web. It is also valuable to the threat actors themselves.
According to Comparitech, it is estimated that ransomware attacks cost K-12 schools and colleges $3.56 billion in 2021 in the U.S. Also, there are additional costs associated with recovering data and improving cyber security for the future. Sometimes, it can be nearly impossible to recover massive amounts of stolen data and a lot of schools can’t afford the extra expense. This is why it’s important for school districts to get ahead of the curve and protect themselves now before they have to try to recover from a devastating ransomware attack. Take a look at some of the things your district can do to help keep your cyber environment safe:
Threat actors like Vice Society will not stop until they have achieved their financial goal. It is crucial for educational institutions to have tools in place to keep attackers out of the cyber environments and to help mitigate cyber attacks should they be breached. Avertium can help by providing the following services:
Avertium, CISA, and the FBI recommend the following for protection against Vice Society:
Cybersecurity in Education: What Teachers, Parents and Students Should Know | Berkeley Boot Camps
FBI warns of Vice Society ransomware attacks on school districts (bleepingcomputer.com)
sophos-state-of-ransomware-education-2022-wp.pdf (enterpriseav.com)
Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)
Vice Society claims LAUSD ransomware attack, theft of 500GB of data (bleepingcomputer.com)
Ransomware attack leaves L.A. schools racing to recover (axios.com)
Flash Notice – The PrintNightmare Continues (avertium.com)
Cedar Rapids School District Pays Ransom for Cyber Attack (govtech.com)
Ransomware gang Vice Society leaks stolen L.A. students' data (axios.com)
Ransomware gang leaks data stolen from LAUSD school system (bleepingcomputer.com)
Huge Los Angeles Unified School district hit by cyberattack | AP News
#StopRansomware: Vice Society | CISA
Why is an Asset Inventory Important for Security? » Triaxiom Security
Multi-factor Authentication Deployment in Higher Education (bio-key.com)
Warning issued about Vice Society ransomware targeting the education sector (malwarebytes.com)
Warning issued about Vice Society ransomware gang (tripwire.com)
Vice Society Ransomware Actors Target PrintNightmare | Decipher (duo.com)
CISA, FBI Warn of Vice Society Ransomware Attacks on Schools | Decipher (duo.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.