FBI, CISA, and MS-ISAC warned today of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.
“The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks,” today’s joint advisory reads.
They also “anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.”
The joint advisory also provides network defenders with Vice Society indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) observed by the FBI in attacks as recently as September 2022.
“The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents,” the advisory adds.
Attacks on the education sector, mainly targeting kindergarten through K-12 institutions, have a massive impact on their operations, ranging from restricted access to networks and data, delayed exams, and canceled school days to the theft of personal information belonging to students and school staff.
One such attack was disclosed today by Los Angeles Unified (LAUSD), the second largest school district in the U.S., after a ransomware attack took down some of its Information Technology (IT) systems over the weekend—LAUSD hasn’t yet attributed the attack to a specific ransomware gang.
Victims asked to share attack details with the FBI
Network defenders are advised to take measures to defend against and limit the impact of ransomware attacks, including prioritizing and remediating known exploited vulnerabilities, training their users to recognize and report phishing attempts commonly used as initial attack vectors, and enabling and enforcing multifactor authentication.
The FBI also asked victims to share logs and other information linked to the attacks.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file,” the federal law enforcement agency said.
Vice Society is a threat group known for deploying multiple ransomware strains on their victims’ networks, such as Hello Kitty/Five Hands and Zeppelin ransomware.
They also steal sensitive data from compromised systems before encryption and later use it for double-extortion, threatening their victims to leak the stolen data if their ransom demand isn’t paid.
One of the group’s recent victims is the Austrian Medical University of Innsbruck which was forced to reset all 3,400 students’ and 2,200 employees’ account passwords after severe IT service disruption and data stolen in the attack being leaked on the gang’s data leak site.
Emsisoft threat analyst Brett Callow said that ransomware attacks had disrupted education at roughly 1,000 universities, colleges, and schools during 2021.
In November, U.S. Senators Maggie Hassan, Kyrsten Sinema, Jacky Rosen, and Chris Van Hollen urged the U.S. Department of Education and the Department of Homeland Security (DHS) to strengthen cybersecurity protections at K-12 schools to keep up with this massive wave of attacks.
