The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a joint security alert warning U.S. school districts about the Vice Society ransomware gang, days after the second-largest school district in the United States was crippled by a ransomware attack.
Major Ransomware Attack Reported by Los Angeles Unified School District
Ransomware attacks are common over holiday weekends, with the Labor Day weekend seeing a major attack on the Los Angeles Unified School District (LAUSD). The K-12 School District serves more than 660,000 students and has around 70,000 employees.
According to an LAUSD announcement, unusual activity was detected within its IT systems over the weekend, with the attack causing disruption to business operations. Ransomware attacks often result in temporary school closures, but LAUSD schools are expected to remain open. LAUSD said the attack is likely to result in delays or modifications to business operations while it recovers from the attack, but that it does not anticipate the attack preventing the provision of instruction, transportation, food, and Beyond the Bell services. LAUSD said business operations such as payroll and healthcare do not appear to have been affected and safety and emergency mechanisms remain in place. The ransomware group behind the attack on LAUSD has not been disclosed. LAUSD said no immediate demand for payment was issued by the attackers.
According to Brett Callow, threat analyst at cybersecurity firm Emsisoft, so far in 2022, at least 26 U.S. school districts and 24 colleges and universities have suffered ransomware attacks. 31 schools affected by these attacks are known to have had data stolen and published online.
Warning Issued About Vice Society
Within a few days of the attack occurring, the FBI, CISA, and MS-ISAC issued a joint warning to the education sector about the Vice Society ransomware gang, which has targeted several school districts, colleges, and universities this year in the United States and beyond. It is currently unclear if Vice Society was behind the attack on LAUSD, but the FBI said that its investigations have identified Vice Society ransomware attacks on the education sector in the United States as recently as September 2022.
Vice Society first appeared in May 2021 and has used a variety of ransomware variants in its attacks, including Hello Kitty, Zeppelin, and Five Hands, and has disproportionately attacked the education sector. The attacks have involved file encryption, data theft and publication, and have caused major disruption, including the temporary closure of some schools and delays to examinations.
The alert shares technical information about the tactics, techniques, and procedures (TTPs) employed by Vice Society, Indicators of Compromise (IoCs), MITRE ATT&CK techniques, and recommended mitigations.
“The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk.”