The Vice Society gang has claimed the ransomware attack that hit Los Angeles Unified (LAUSD), the second largest school district in the United States, over the weekend.
LAUSD says it enrolls more than 640,000 students, from kindergarten through 12th grade, and it includes Los Angeles and areas from 31 smaller municipalities, as well as some Los Angeles County unincorporated sections.
The Vice Society operation told BleepingComputer that they were responsible for the LAUSD ransomware attack but said they would not provide any proof of the attack until they published an entry on their data leak site.
The attackers also claimed to have stolen files from compromised LAUSD systems before encrypting them with ransomware.
“We have 500 gb of data from their network,” a Vice Society representative later told BleepingComputer on Thursday evening but refused to provide proof of the stolen data.
FBI warns of Vice Society targeting schools
While the Los Angeles school district is yet to link the incident to a specific ransomware group, the day it disclosed the ransomware attack, the FBI, CISA, and MS-ISAC also published a joint advisory warning of Vice Society disproportionately targeting the U.S. education sector.
Additionally, the Homeland Security Division of California Governor’s Office of Emergency Services (CalOES) and the California Cybersecurity Integration Center (Cal-CSIC), a multi-agency center that leads California’s cybersecurity response efforts, also emailed local government agencies and education entities in the state to alert them of this advisory.
“The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022,” the email reads.
“The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.”
Vice Society is known for having used multiple ransomware strains in their attacks, including HelloKitty/Five Hands (ransom notes named !!!readme!!!.txt) and Zeppelin (ransom notes named !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT) ransomware.
They also steal data from victims’ networks before encryption to later use it for double-extortion, threatening to leak the stolen data if their ransom demands aren’t met.
The gang has claimed attacks on other school districts, schools, and universities worldwide, including the Austrian Medical University of Innsbruck, the San Luis Coastal Unified School District, the Moon Area School District, the Grand Valley State University, and many others.
In-person password resets after ransomware attack
On Thursday, LAUSD said its task force was making “progress toward full operational stability for several core information technology services,” noting that the attendance rate across the school district reached 93%.
Following the attack, LAUSD has also asked all district employees (teachers, support staff, administrators) and elementary, middle, and high school students to reset their @LAUSD.net account credentials in person at a district site.
“While students and employees continue to re-authenticate their accounts, Los Angeles Unified is strengthening accounts by expediting the rollout of a multi-factor authentication process,” Superintendent Alberto M. Carvalho said.
“As a point of clarification, compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies. All compromised credentials have been fully deactivated to protect network integrity.”
LAUSD’s Chief Communications Officer Shannon Haber refused to comment on Vice Society’s claims, saying that the school district has nothing to add to the “myriad of updates” posted on its newsroom and social media accounts.