U.S. government agencies are warning that Vice Society is “disproportionately” targeting the education sector with ransomware attacks, and they anticipate attacks to increase as school districts across the country start their academic years in the coming weeks.
Vice Society is a double extortion ransomware group that was discovered in 2021 and has been identified through FBI investigations as recently as September. The group has deployed versions of the Hello Kitty/Five Hands ransomware and Zeppelin ransomware, though the FBI and CISA said on Tuesday that it may leverage other ransomware variants in the future.
“Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks,” according to the security alert. “Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff.”
The group has typically exploited internet-facing applications in order to compromise credentials and obtain initial network access. After escalating privileges and gaining access to domain administrator accounts, the group has been observed running scripts to change the passwords of targets’ network accounts, blocking victims from remediating against the attack.
The security advisory outlined the group’s arsenal of tools it uses to move laterally, including SystemBC, PowerShell Empire and Cobalt Strike. The actors have also been observed escalating their privileges by exploiting PrintNightmare (CVE-2021-1675 and CVE-2021-34527), a set of vulnerabilities in the print spooler service in Windows that attackers can exploit to gain remote code execution on target machines. Vice Society has also relied on several tactics to maintain persistence, including leveraging scheduled tasks and creating undocumented autostart Registry keys, and to evade detection, including disguising their malware as legitimate files and using process injection.
“Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom," according to CISA and the FBI. "They have also used 'living off the land' techniques targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content.”
“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.”
Brett Callow, threat analyst with Emsisoft, said that Vice Society has been responsible for at least six of the 26 incidents that Emsisoft has tracked involving U.S. school districts so far this year.
“Whereas some groups claim to avoid attacks on the education and health sectors, they seem to be Vice Society's primary targets,” said Callow.
The security alert comes the same week that the second-largest U.S. school district, Los Angeles Unified School District, announced that it was targeted in a ransomware attack over Labor Day weekend. The district said that some business operations may be delayed and that it is working with the FBI, CISA and Department of Education for incident response support. Other school districts that have been hit by cyberattacks over the years include the Clark County School District in Nevada, the Allen Independent School District in Texas and the Judson Independent School District in Texas.
President Joe Biden last year signed into law the K–12 Cybersecurity Act of 2021 in an effort to scope out resources needed to bolster the cybersecurity of school districts. The law directed CISA to work with teachers, school administrators and private sector firms to develop recommendations and an online toolkit that can help schools improve their security, from securing student data to security challenges with remote learning.
Beyond these efforts, the FBI and CISA recommend that organizations in the education sector take a number of steps in preparing for security threats, including maintaining offline data backups and ensuring that all backup data is encrypted, implementing a recovery plan, and reviewing the security posture of third-party vendors to make sure they’re being monitored and reviewed for suspicious activity. Organizations should also set up protective controls, ensure identity and access management and keep all systems up to date.
“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk,” according to CISA and the FBI. “K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”