A ransomware outfit calling itself Vice Society has dumped nearly 300,000 files belonging to the Los Angeles Unified School District as punishment for rebuffing demands it pay the group a hefty fee to recover data stolen during a recent cyber intrusion.
Ransomware operators breach targets’ networks, encrypt all their data, and then charge victims a ransom for the decryption key. More recently, the groups have moved to a double extortion model, in which they also publish the data on the dark web unless victims pay a ransom to keep it private. Already this year, 27 school districts with 1,735 schools among them have been hacked in ransomware incidents, Brett Callow, a threat analyst with security firm Emsisoft, said.
So far this year, 29 post secondary schools in the US have been hit as well as 27 districts with 1,735 schools between them. At least 37/56 incidents involved data theft. A good round-up from @lorenzofb 2/3https://t.co/VFcPVmOjkh
— Brett Callow (@BrettCallow) October 3, 2022
The Los Angeles Unified School District is the second biggest school district in the US, behind the New York City Department of Education, making it a trophy of sorts for ransomware groups that prey on these organizations.
Vice Society is a Russian-speaking ransomware group that has emerged over the past couple of years to become a menace, mainly to small- and middle-sized companies. The group specializes in human-operated ransomware attacks, as opposed to automated attack techniques favored by many of its peers. Callow said in a direct message that the Vice Society gang attacked at least eight other US school districts, colleges, and universities so far in 2022.
In the past it has used critical vulnerabilities in network devices from SonicWall and the Windows zero-day known as PrintNightmare as an initial entry point into companies it has targeted.
The LAUSD said in early September it suffered a ransomware attack that created districtwide disruptions to email, computer systems, and applications. A couple of days later, the Cybersecurity and Infrastructure Security Administration published an advisory warning that the group had been “disproportionately targeting the education sector.”
On Friday, district officials said they had no intention of paying a ransom to the threat actors.
“Los Angeles Unified remains firm that dollars must be used to fund students and education,” they wrote. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.”
On Friday, LAUSD superintendent Alberto Carvalho was even more forceful in his rejection of the group’s demands.
“What I can tell you is that the demand—any demand—would be absurd,” he told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
Friday’s LAUSD statement warned employees and families that the group was likely to respond by releasing breached data publicly.
Over the weekend, that’s precisely what Vice Society did on its name-and-shame site. The haul, which researchers from security firm Checkpoint said included more than 284,000 files, contains a wide variety of documents, images, and other documentation. One video purports to be part of an incident report and appears to show district personnel monitoring a video feed and responding to other staff members over a two-way radio. Other documents list the names, Social Security numbers, attendance records, unredacted passports, and other sensitive information of school employees and contractors.
Like many municipalities, school districts are particularly vulnerable to ransomware attacks because they frequently use outdated hardware and software.