Skip links

US school year opens with reading, writing, and ransomware

The Vice Society threat group is ramping up ransomware attacks on US school districts just as students around the country return to the classroom, the FBI and other federal agencies are warning.

The FBI, Cybersecurity and Infrastructure Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory this week that the Vice Society, which first appeared in the summer of 2021, recently began to disproportionately target the US education sector with ransomware attacks and they expect such attacks to increase as the school year rolls on.

“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk,” the agencies wrote.

“K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”

Educational institutions, from local school districts to universities, are coming under increasing numbers of ransomware attacks fueled in large part by the rise of ransomware-as-a-service (RaaS), which lowers the skill level needed for launching such campaigns.

According to a July reportfrom cybersecurity vendor Sophos, ransomware attacks on educational entities jumped in 2021, with lower education seeing a 56 percent year-over-year increase and higher education growing 64 percent.

The education sector is the least able to keep data from being encrypted during an attack and the recovery costs from a ransomware attack are high – lower education last year spent an average $1.58 million and higher education $1.42 million, according to Sophos.

The FBI said the effects of ransomware attacks include restricted access to networks and data, theft of personnel data related to staff and students, delayed exams, and cancelled school days.

Over the Labor Day weekend, the Los Angeles Unified School District (LAUSD) came under a ransomware attack that temporarily shut down email, computer systems, and applications. Emsisoft threat analyst Brett Callow said in a series of tweets that the LAUSD was the 50th US education organization to be hit with a ransomware attack this year.

Vice Society is much like other ransomware groups these days. Rather than encrypt the data found on victims’ networks, it exfiltrates the files and threatens to publicly release the data if the ransom isn’t paid. The group also doesn’t use a ransomware variant it developed. Instead, it deploys versions of such ransomware families as HelloKitty/Five Hand and Zeppelin. The group also may use other variants in the future, according to the advisory.

Threat researchers with cybersecurity vendor Sekoia said in a July report that Vice Society – which they believe is operated by English speakers – uses Zeppelin to target Windows systems while HelloKitty was used to target Linux systems at the end of 2021.

As of June, the group had claimed 88 victims. Just over 26 percent of those listed on its leak site are educational-related entities, according to Sekoia. Vice Society is also known for targeting the healthcare industry and was behind the attack earlier this year on accounting company Optionis Group.

Among its recent education victims are the Linn-Mar Community School District in Iowa and the Medical University of Innsbruck.

The federal agencies suspect that Vice Society attackers get initial access to a target’s network by exploiting internet-facing applications and stealing compromised credentials. They then spend time moving through the network to identify ways to increase access and exfiltrating data that will be used in their double-extortion tactics.

Just as the group employs various ransomware variants in its attacks, it also uses a range of tools to move laterally through the network, including SystemBC, PowerShell Empire, and Cobalt Strike.

“They have also used ‘living off the land’ techniques targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content,” the agencies wrote in their advisory.

Vice Society also has exploited the PrintNightmare vulnerability – a remote code execution (RCE) flaw that can enable cybercriminals to take control of a PC – to escalate privileges and leverage scheduled tasks, create undocumented autostart Registry keys, and point legitimate services to its own malicious dynamic link libraries via the DLL side-loading tactic.

The group evades detection by masking their malware as legitimate files, process injection, and leveraging tools to defeat dynamic analysis.

“Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts to prevent the victim from remediating,” the agencies wrote.

As part of their advisory, they listed the indications of compromise (IoC) and a laundry list of steps school districts can take to protect themselves against ransomware attacks, including maintaining offline backups, reviewing the security posture of third-party vendors, developing a recovery plan, requiring multifactor authentication for all services, segment networks, and keeping all systems up to date. ®

Source