On September 6, 2022, U.S. federal agencies including the FBI and Cybersecurity & Infrastructure Security Agency (CISA) warned the education sector about high-level cyber threats from a criminal entity known as Vice Society.

The alert comes after the Los Angeles Unified School District, one of the largest in the U.S., announced it was a victim of a ransomware attack. Hackers infected the district’s computer networks with malicious software, locking up files and demanding a ransom payment. The education sector is targeted for the wealth of information schools maintain on students and parents.

Vice Society Tactics

Discovered in 2021, Vice Society is a double extortion ransomware group. These bad actors deploy versions of the Hello Kitty/Five Hands and Zeppelin ransomware, but may rely on other variants in the future.

In prior cyberattacks, Vice Society exploited internet-facing applications to compromise credentials and obtain initial network access. After escalating privileges and gaining access to domain administrator accounts, they run scripts to change the passwords.

SystemBC, PowerShell Empire and Cobalt Strike are common tools Vice Society uses to move laterally, which means attackers spread across an infrastructure once they’ve gained access, sometimes through a single point of entry. They also exploit PrintNightmare (categorized as Common Vulnerabilities and Exposures CVE-2021-1675 and CVE-2021-34527), which is a set of vulnerabilities in the print spooler service in Windows that is used to gain remote code execution on target machines. Other Vice Society tactics include leveraging scheduled malicious tasks, creating undocumented autostart Registry keys, disguising malware as legitimate files, and implementing process injection whereby arbitrary code is run within another processor’s memory space.

“Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses and exfiltrating data for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom,” according to CISA and the FBI. “They have also used ‘living off the land’ (LotL) techniques [that exploit trusted, off-the-shelf and preinstalled system tools] targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content.” Click here to read the entire CISA alert.

What Can You Do?

Don’t forget that recovery is an important part of an educational institution’s overall ransomware strategy. The ability to quickly identify the ‘where’ and ‘when’ of your last known good copy of data is critical. Many organizations are learning that their recovery plans do not accurately plan for ransomware. They find out too late that their data and business is unrecoverable, which is why ransomware is so effective. You must plan for this highly-likely disaster that’s happening with increased frequency. Recovery Point can help you create a cleanroom environment that features a solid DR plan. Should you be targeted by bad actors, you’ll be able to get your school back and up and running quickly.

Don’t delay – failing to plan is planning to fail – call 877-445-4333 to speak with a Recovery Point expert and learn more.

By Rob Carter, Chief Operating Officer

You Might Also Like

Leave a Comment