K-12 Sector Under Attack by Vice Society RaaS Group
The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) has observed the Vice Society Ransomware-as-a-Service (RaaS) group increasingly targeting U.S. schools, specifically K-12 organizations.
Recent Vice Society Attacks Against K-12 Organizations
On September 6, 2022, the MS-ISAC released a joint Cybersecurity Advisory (CSA) with the FBI and CISA on Vice Society. Together, they "observed [that] Vice Society actors [are] disproportionately targeting the education sector with ransomware attacks."
Here are three such attacks that made headlines.
Medical University of Innsbruck
Back in June 2022, the Medical University of Innsbruck in Austria disclosed an IT outage and revealed that it had responded to the incident by restricting access to online servers and computer systems. The university's IT personnel then reset all students' and employees' account passwords, reported Bleeping Computer. Over the days that followed the attack, the IT team gradually restored access to the online servers and brought the main site back online.
Vice Society later claimed responsibility for the attack. The group also added the university to its data leak site and uploaded a set of documents allegedly stolen from the institution. At least some of the documents contained the university's letterhead among other indications of authenticity.
Elmbrook School District
The next publicly-confirmed Vice Society attack affected Elmbrook School District in Brookfield, Wisconsin. In August 2022, Superintendent Dr. Mark Hansen sent out an email informing community members that the district had suffered a cyber attack involving unauthorized access to a portion of its network. The district launched an investigation into what happened and learned that those responsible for the attack had published some of its data on the dark web.
Dr. Hansen didn't call out the Vice Society by name. In his email, however, he provided a link to the joint CSA discussed above and wrote that it highlighted the "organization responsible for posting the District's data on the dark web." He also brought up one of Vice Society's most high-profile attacks: an incident involving the Los Angeles Unified School District.
Los Angeles United School District
At the beginning of September, the Los Angeles Unified School District (LAUSD), which is the United States' second-largest school district with more than 600,000 students, fell victim to Vice Society. The attack affected the district's email and other applications, according to DataBreachToday, but it didn't prevent LAUSD from holding classes on Tuesday after the Labor Day weekend – several days after a representative of the ransomware group claimed responsibility for the attack.
When asked by DataBreachToday, the Vice Society representative didn't directly answer whether they had stolen students' information. Confirmation came in the following weeks, however. In late September, LAUSD announced that Vice Society had issued a ransom demand in connection with the attack, per NBC Los Angeles. Alberto M. Carvalho, the superintendent of LAUSD, tweeted a few days later that Vice Society had published data stolen in the attack.
Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack. pic.twitter.com/K8VhiFmSbL
— Alberto M. Carvalho (@LAUSDSup) October 2, 2022
According to TechCrunch, the leaked data included financial reports, COVID-19 testing information, and psychological assessments of students, among other personally identifiable information (PII).
Background Information on Vice Society
As noted in the joint CSA, Vice Society is a ransomware group that first appeared in the summer of 2021. It stands out compared to gangs like LockBit and BlackCat in that it doesn't use its own ransomware payload. Instead, it commonly deploys payloads of Hello Kitty/Five Hands or Zeppelin on victims machines.
Not having their own ransomware payload might serve as a strategic advantage, notes the CTI team.
"One possible reason is that not having a separate ransomware payload helps Vice Society to maintain anonymity and not grow its brand," the team explained. "Take what happened with the Colonial Pipeline Company. The U.S. government got involved after the DarkSide group affected the delivery of oil in the United States. Ransomware groups don't want to attract this type of unwanted attention. They would much rather prey on organizations that have money and that are likely to pawn off a ransom demand onto a cyber insurance provider."
Another explanation is that Vice Society doesn't have the necessary expertise to develop its own RaaS operation, so it's using what already exists.
The joint CSA explains that Vice Society likely gains initial access to a targeted network through compromised credentials by exploiting web-facing applications. The attack group then uses tools like Cobalt Strike along with Living off the Land (LotL) techniques to move laterally across the network and exfiltrate data for double extortion. Only then do they deploy the ransomware payload.
Putting K-12 Ransomware Attacks into Context
Vice Society has attracted the attention of law enforcement for singling out K-12 organizations, but that doesn't mean ransomware groups are just now starting to target this sector. On the contrary, K-12 organizations accounted for 33.5% of U.S. State, Local, Tribal, and Territorial (SLTT) ransomware incidents reported to the MS-ISAC between 2019 and 2021. These attacks reflect how threat actors, such as Vice Society and other ransomware gangs, like to set their sights on those that are "target rich and resource poor," or organizations like K-12 facilities that have money but lack robust cybersecurity funding and internal expertise. Indeed, many ransomware attacks against K-12 organizations take months, if not longer, to remediate and can cost over $1 million, according to the MS-ISAC K-12 Report: A Cybersecurity Assessment of the 2021-2022 School Year.
To make the most of their attacks, groups commonly go after K-12 organizations at the beginning of the school year, leading to a spike in K-12 ransomware reporting at that time.
The CTI team isn't surprised.
"At the beginning of the school year, there's a lot of disarray and effort to acclimate among new students, faculty, and admins," it observed. "To have a hard-stop interruption at this time can throw the rest of the school year off. What's more, the start of the school year is when many school districts haven't yet spent discretionary funds on plowing snow, AC maintenance, and other issues. Ransomware gangs can use this to their advantage and maximize their demands."
How K-12 Organizations Can Defend Against Ransomware
When it comes to defending against ransomware, there's perhaps no greater challenge for K-12 organizations than cybersecurity awareness. This goes for everyone in a school setting.
"When we're talking about faculty and admins, there's a general lack of training, experts, financial resources, and cyber defense technology around helping these individuals to not fall for a phishing attack, perpetuate a business email compromise (BEC) scam, etc.," the CTI team pointed out. "As for your students, they're mostly using cloud learning platforms without the awareness of how to handle themselves online."
In light of these challenges, every K-12 organization should become a member of the MS-ISAC. Membership grants organizations access to many free and low-cost resources that they can use to fight against ransomware. For instance, MS-ISAC members can gain access to CIS SecureSuite Membership at no cost to them and use it to enact Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). Our CIS Community Defense Model (CDM) v2.0 shows that organizations can effectively defend against 78% of ATT&CK (sub-)techniques by implementing the Safeguards of IG1. While anyone can implement IG1 on their own, SecureSuite provides scalable, customizable tools to test the successful deployment and configuration of these controls, providing actual, measurable inputs to an organization's risk equation.
They can also cultivate defense in depth against ransomware by leveraging additional fee-based MS-ISAC services. These services include CIS Endpoint Security Services and Albert Network Monitoring and Management, which are designed to help organizations detect and block attempted attacks at the endpoint and network levels. Additionally, K-12 organizations can consider creating a security awareness training program for admin, faculty, staff, and students through a group procurement opportunity like CIS CyberMarket.