FBI Warns of K-12 Ransomware Attacks
The FBI, CISA, and MS-ISAC warned last week of U.S. school districts being increasingly targeted by the Vice Society ransomware group, with more attacks expected after the start of the new school year.
“The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks,” the joint advisory reads.
Who / What is Vice Society?
Vice Society is believed to be an invasion and extortion group. The group use the .kitty or .crypted file extension for encrypted files. According to CISA, the Vice Society bad actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware but may just as easily deploy other variants in the future.
The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.
The joint advisory also provides network defenders with Vice Society indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) observed by the FBI in attacks as recently as last week.
They also, “anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.”
“The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents,” the advisory adds.
The alert comes after the Los Angeles Unified School District, one of the largest school districts in the U.S., announced last week Monday that it had been infected with ransomware. Hackers infected the district’s computer networks with malicious software, locking up files and demanding a ransom payment. Classes in Los Angeles weren’t canceled, but the attack caused a “significant disruption” to the school district and some of its services, the district announced.
Attacks on the education sector, mainly targeting kindergarten through K-12 institutions, have a massive impact on their operations, ranging from restricted access to networks and data, delayed exams, and canceled school days to the theft of personal information belonging to students and school staff.
At least 26 U.S. school districts have been infected with ransomware so far in 2022, with seven of those incidents coming since the beginning of August, according to a tally maintained by Recorded Future, a cybersecurity company.
The Biden administration officially made ransomware a high-priority concern in May 2021, after hackers locked up computer networks belonging to Colonial Pipeline, leading to some gas shortages. Since then, there haven’t been any such high-profile ransomware attacks on energy infrastructure.
The FBI also asked victims to share logs and other information linked to the attacks.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file,” the federal law enforcement agency said.