Analysis of Vice Society finds that the hacking group times its attacks with school-year transitions

Vice Society, the hacking group that targeted the Los Angeles Unified School District with a ransomware attack in September and other school systems throughout the fall, is careful with how it times its attacks.

Vice Society doesn’t only target schools, but spreads a wide net in its efforts to deploy ransomware attacks, hitting a number of different industries, including healthcare, state and local governments, and manufacturing.

But nearly 40% of the group’s attacks focus on the education sector, particularly in the US, according to a recent report by threat analysis group Unit 42. The report also showed that the gang lines up their assaults on educational systems based on the school year.

Ryan Olson, Unit 42’s VP of threat intelligence, told IT Brew that his team took an interest in Vice Society as ransomware attacks on educational systems and other industries began to rise over the past year.

“We tried to identify what are the cases [and] groups that are on the rise,” Olson said. “That’s what led to us looking into Vice Society, especially because they had a focus on education.”

Uniquely targeted. What makes Vice Society special is not only that they target educational systems, it’s that their attacks appear to make use of a varied amount of ransomware software rather than building their own. And the group targets, attacks, and ransoms all together, unlike other groups that tend to be part of a larger network of operators doing each portion of the attack separately.

“Vice Society, because they operate a little differently, because they are selecting their own targets—we think that that’s the reason that they have over-targeted education compared to other groups…when you are targeting one industry multiple times, you tend to get a better understanding of how can you put the most pressure on that organization,” Olsen told IT Brew.

Whereas many ransomware gangs may look to take a “spray and pay” approach to attacks, Vice Society’s focus on schools strikes TJ Sayers, cyber threat intelligence manager at the Center for Internet Security (CIS), as notable. Sayers also pointed to Vice Society’s somewhat slapdash software avenue of attack, echoing Olsen’s take on the group’s unique structure.

“They’re not really working with affiliates,” Sayers said. “They are using a mishmash of different ransomware variants, kind of like recycling code, pulling out some older vulnerabilities.”

Stress timing. Unit 42’s analysis of a year’s worth of data pertaining to Vice Society activities found that spikes in hacking activity in spring and fall could point to attempts on the group’s behalf to time their attacks “with this sector’s unique calendar year,” according to the report summary.

The chaos caused by attacking the schools at such a time could be devastating to student development. The attempts to use the school year as a sort of psychological hack attack did not occur to Todd Richmond, director of the Tech + Narrative Lab and a professor at the Pardee Rand Graduate School, as an indication of any special insider knowledge.

“I think it’s [that] they understand that schools have times when they’re in session and when they’re not in session,” Richmond said.

“There’s a reason to target schools more at the beginning of the year because it introduces more opportunity for chaos, for shutting systems down and for causing harm,” Olson said, adding that it would impact “not just the kids, but the parents of those kids are also impacted that kids can’t go to school, or their data has potentially been leaked—you sort of get this broader impact, which also leads to more pressure on the school district to pay in those instances.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].