Sep 7 – Last year, the Vice Society ransomware gang started to deploy ransomware attacks within the education sector, according to the US Federal Bureau of Investigation, the Cybersecurity and Infrastructure agency, and the MS-ISAC, a cyber threat sharing body.
Due to the sensitive nature of student data stored on school systems and/or via third-party systems, cyber criminals perceive schools as lucrative, data-rich environments.
A recent attack on the second largest school district in the US, the Los Angeles Unified School District, has prompted worry among officials and school administrators…
Vice Society ransomware
While Vice Society ransomware’s activities have not been explicitly tied to the Los Angeles Unified School district attack, the group’s name is mentioned in every media publication that acknowledges the school district’s breach.
Vice Society is known as a double-extortion ransomware group. Previously, it has deployed versions of the Hello Kitty/Five Hands ransomware and the Zeppelin ransomware, although the group may have and may continue to leverage additional ransomware variants.
In the past, the group has exploited internet-facing applications to compromise credentials and to obtain initial network access. After privilege escalation and gaining access to domain administrator accounts, Vice Society hackers have run scripts to alter the passwords of targets’ network accounts, preventing administrators or IT professionals from easily mitigating attacks.
Vice Society technical details
According to a recent security advisory, the group’s tools enable it to move laterally across networks. Hackers have also been observed to escalate privileges through the exploitation of PrintNightmare, a set of vulnerabilities in the print spooler services in Windows. These vulnerabilities enable attackers to gain remote code execution capabilities on targets’ machines.
To maintain persistence in attacked environments, Vice Society has leveraged a series of creative avenues, which include disguising malware as legitimate files and using process injection.
Preparing for security threats
Organization in the education sector are encouraged to take steps that can help prevent and prepare them for security threats. These steps include maintaining offline data backups, ensuring that backup data is encrypted, reviewing the security posture of third-parties, and monitoring suspicious activities.
If hit with a ransomware attack, US authorities advise against paying any requested ransom, noting that payment does not guarantee victim file recovery. Further, payment may embolden attackers to target additional organizations, encourage other cyber criminals to create similar schemes, and/or payment may finance nefarious activities.
For more information, please see CyberTalk.org’s additional concurrent coverage. Lastly, to receive more relevant cyber security insights, real-world case-studies and cutting-edge analyses, please sign up for the cybertalk.org newsletter.