More than 40 educational organizations, including 15 in the United States, suffered ransomware attacks launched by a cybercriminal group called the Vice Society, researchers at cybersecurity firm Palo Alto Networks revealed in a report published Tuesday and reported by CBS News. Received.
Researchers from Palo Alto Networks’ Threat Research team, Unit 42, found that hackers targeted the United States in the greatest numbers — followed by the United Kingdom, Spain, France, Brazil, Germany, and then Italy.
The report tracked how the group, which first surfaced in the summer of 2021, uses a double-extortion playbook. Cyber criminals not only hold the data hostage by charging hefty fees, but also threaten to leak the data online.
“Education is very vulnerable to this type of attack because often organizations don’t have the best cyber security and don’t have the best funding,” said Ryan Olson, vice president of Threat Intelligence at Palo Alto Networks. “Schools can’t compete with a bank or a tech company as far as what they can buy and deploy, and that means a threat actor who gets into that network has more time to go in and launch facing very few obstacles for their attack.
The threat factors have been on the radar of federal law enforcement for months.
Earlier this year, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint bulletin warning that “the education sector, particularly kindergarten through twelfth grade (K-12) institutions, has recently Has been a frequent target of ransomware attacks”. years.
“The effects of these attacks range from limited access to networks and data, delayed exams, cancellation of school days, and unauthorized access to and theft of personal information about students and staff.”
The Intelligence Memos singled out the Vice Society for “disproportionately targeting the education sector with ransomware attacks”.
While comprehensive ransomware data proves difficult to obtain, cybersecurity researchers warn that schools — especially K-12 institutions — continue to attract the attention of ransomware gangs.
Most schools are not required by law to publicly report cyberbullying, but researchers at the K-12 Safety Information Exchange say that more than 1,200 cybersecurity incidents have been reported in public school districts across the country since 2016. have happened. Earlier this year, the Virginia-based nonprofit published a report detailing at least 209 ransomware attacks against K-12 institutions during 2016-2021.
New findings from Palo Alto Networks revealed “noticeable spikes” in attacks by the Vice Society during the spring and fall months, an indication the group “timed campaigns to coincide with the region’s unique calendar year”. It is possible
“You could surmise that the assailants hit while the bus was in the fall, but it is much more likely that they were looking to make an impact because schools are starting,” Olsson said.
Vice Society operates unlike other notorious ransomware groups, which, in which criminal gangs sell or rent their hacking software or services to the highest bidder, according to the researchers. Instead, the group uses pre-existing ransomware – including the well-known variants HelloKitty and Zeppelin – to extort victims.
Palo Alto Networks researchers have not linked members of the group to a specific geographic location, although posts and communications from the cybercriminal gang have appeared on the dark web in both English and Russian.
The researchers estimate that the threat factors “affected more than 100 organizations in total,” including 40 cases affecting educational organizations, 13 targeting health care, and 12 targeting state and local governments. Are included.
According to analysis by Palo Alto Networks, 15 of the schools and education organizations targeted by the cybercriminal group are located in the US, while 10 are based in the United Kingdom. Other occurrences are sporadic in Colombia, Brazil, France, Malaysia, Austria, Canada and Ukraine.
“The group appears to be targeting more educational organizations based in California,” the report said.
Earlier this year, there was a ransomware attack targeting the Los Angeles Unified School District, the second largest school district in the US.
The district described the cyberattack as a “significant disruption to our systems infrastructure,” in which 500 gigabytes of data were stolen. Still the classes went on.
“If you hit a company and shut down their financial payments system, it’s going to be frustrating for that company,” Olsson said. “But if one school in one area starts closing, it’s going to affect all the students, the teachers, their parents. It’s going to be absolutely newsworthy. It’s going to be up to the administrators to rework things.” Too much pressure.” Ransomware actors want people in a position where they need to resume operations quickly, because that’s what’s going to pay them.
Cyber criminals posted more than 250,000 files and images on the dark web, including potentially sensitive information, after LAUSD administrators refused to pay the ransom, according to cybersecurity firm Checkpoint Research.
Palo Alto Networks said in its report, “Its continued targeting of the vice society and education industry verticals, particularly around the September deadline, serves as a warning that the group may have sought to take advantage of the school year in the US.” have shaped their campaigns to , “It is likely that they will continue to use tactics to influence the cyber threat landscape as long as their activities remain lucrative for them.”
Earlier this year, CISA previewed a plan to increase cybersecurity protections in local communities, with a focus on particularly vulnerable ones: K-12 schools, hospitals and water treatment facilities. CISA director Jane Easterly said in October that not all organizations are “investing millions and billions of dollars, like some in finance and energy”. [sectors] Huh.”
Homeland Security Secretary Alejandro Mayorkas said on Monday at the Center for Strategic and International Studies event in Washington DC, “Even the smallest organizations stand on the front lines of defense against the most sophisticated nation states and non-nation state threats.” Huh.”
Cabinet Secretary warns that cyber attacks will continue “[grow] in numbers and gravity,” allowing American adversaries to launch “a new type of war” with a single keystroke.
For his part, Olson said Palo Alto Networks researchers are currently developing better cybersecurity tools to help prevent attacks launched by the Vice Society. “One of the things we looked at is how long were the threat actors inside the network before they actually launched the attack?” Olson said. His team identified an average “residence time” of six days.
“Keeping track of all this information allows us to respond more quickly and more effectively in cases of backlash,” Olsen said.