The Los Angeles Unified School District (LAUSD) has become the latest target of attacks from hackers who demanded a ransom for the data they swiped. The hackers claim to have stolen over 500 gigabytes of data from the second-largest school district in the U.S. and set Monday as a deadline for the LAUSD to pay the ransom — or else.
However, Vice Society, the syndicate claiming responsibility for the hack, which took place on Sept. 3 while schools were closed for Labor Day Weekend, began releasing the data online Saturday night.
Thank you to our students, families and employees for doing their part in the ongoing recovery from this cyberattack. pic.twitter.com/K8VhiFmSbL
— Alberto M. Carvalho (@LAUSDSup) October 2, 2022
The release of data came after Superintendent Alberto Carvalho announced on Friday that the LAUSD wouldn’t give in to the ransom demands.
“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
Carvalho also released a statement on Friday in which he said, “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
The district said it believed that employees’ personal information wasn’t at risk, even as it expressed concern that the hackers may have accessed benefit and payroll information.
Less certain is how much student data the hackers have, which the Times reports “could include names, grades, course schedules, disciplinary records, and disability status.”
As the district’s technicians were rebooting systems after the hacking, they discovered tripwires that could have allowed Vice Society to continue hacking the district and accessing more data.
Brett Callow, a threat analyst at Emisoft, posted screenshots of Vice Society’s threat to the LAUSD on Twitter.
Vice Society has listed the 2nd largest school district in the US: #LAUSD. The same gang has hit at least 8 other US school districts and colleges/universities so far this year. 1/5 pic.twitter.com/DOSq839FDT
— Brett Callow (@BrettCallow) September 30, 2022
Other cybersecurity experts confirmed Callow’s report, while reporters have claimed that Vice Society has informally admitted to them that they were responsible.
Related: Major Cyber Conferences Paint a Dark Picture of Global Cybersecurity
Additionally, the U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert to school systems in September regarding hackers accessing educational data.
Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.
The CISA report even mentions Vice Society by name.
“Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190],” warned CISA. “Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [TA0010] for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom.”
Callow said that Vice Society has hit nine school systems, colleges, and universities this year alone. At least 27 school districts and 28 colleges and universities have become the victims of hacking incidents so far this year, although arguably none of those attacks were as large or as heavily publicized as the one that took place in Los Angeles.
Join the conversation as a VIP Member