CISA warns of ‘Vice Society’ after school-district ransomware attack

The hackers who targeted the Los Angeles Unified School District over Labor Day weekend have escalated their efforts by demanding ransom, LA schools Supt. Alberto Carvalho told the LA Times this week.

Reports have linked the shakedown to “Vice Society”—an extortion group that the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued warnings about days after the breach was first announced.

The agencies’ Sept. 6 advisory revealed details of the Vice group, along with ways to recognize and defend against its tactics. The lengthy list of ransomware-prevention recommendations from at least one agency that considers itself the nation’s cybersecurity “quarterback” suggests that schools—always packed with students and students’ personal data—have become an enticing mark for hackers.

“K–12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers,” the advisory said.

Who is Vice Society: Not the new Grand Theft Auto, Vice Society is an “intrusion, exfiltration, and extortion hacking group” that has deployed versions of HelloKitty/FiveHands and Zeppelin ransomware, CISA said. Moving laterally with tools like PowerShell Empire and Cobalt Strike, Vice Society, according to the agency, has “been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts.”

Why this matters: The joint report arrived after a string of 2022 ransomware attacks targeting schools and universities, most notably and recently the LAUSD outage. Other 2022 ransomware incidents have hit Lincoln College in Illinois and the Mansfield, Texas, school district.

According to the consumer-research index Comparitech, 67 individual ransomware attacks occurred in 2021, impacting 954 schools and colleges and 950,000+ students. More than 30 attacks have targeted the education sector so far in 2022, according to daily updated maps from Comparitech.

What to do: CISA wrote a long list of recommendations. Here are three top suggestions.

• Prioritize and remediate known exploited vulnerabilities. “Vice Society actors” have exploited the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) “to escalate privileges,” per the report.

• Train users to recognize and report phishing attempts—a common entryway for attackers

• Enforce multifactor authentication, “particularly for webmail, virtual private networks, and accounts that access critical systems.”

As the new school year kicks off, CISA, MS-ISAC, and the FBI warn that cyberattacks could ramp up. Schools with limited financial resources and cybersecurity protections "are often the most vulnerable," the advisory said.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.