Protecting K-12 schools from cyber threats: The case of Vice Society
A notorious threat group, Vice Society, has made a name for itself by targeting K-12 school systems. For example, it breached the LA County Unified School District (LAUSD) in September 2022 at the start of the academic year. The second largest school district in the U.S. — one with 640,000 students and over a thousand schools — was the victim of a ransomware attack.
Mike Wilkinson, leader of the digital forensics and incident response team at Avertium, explained that this incident highlighted the growing sophistication of the cybercrime “supply chain.” Instead of one group developing the software, infiltrating the system, installing the malware and holding the school district to ransom, Vice Society obtained the ransomware technology from other developers, for which it pays a fee based on the amount of the ransom received.
Phishing simulations & training
“School groups tend to be softer targets that haven’t traditionally had a strong focus on security, although that is gradually changing,” said Wilkinson. “As schools exist to serve their students, there tends to be extra pressure to get a ransom paid, which might be part of the reason for a general rise in attacks on schools.”
In the LAUSD attack, Vice Society exfiltrated 500 GBs of personal information from students and threatened to leak it to the public.
“Through our ongoing investigation, we determined that between July 31, 2022, and September 3, 2022, an unauthorized actor accessed and acquired certain files maintained on our servers," said the school district in their collectively-written data breach notification letters sent to affected individuals. "Those files contained the names, addresses and Social Security numbers of contractor and subcontractor employees and other affiliated individuals."
The school district decided not to pay the ransom as there was no guarantee that hackers wouldn’t leak the data anyway. The district believed they could use the money for more beneficial purposes, such as funding different student needs and their education.
That’s a smart decision in many ways. Numerous cases are on record of organizations paying the ransom and not retrieving their data — or finding that the bad guys had retained a back door into their systems and mounted yet another ransomware attack a short time later.
However, many decide to pay the ransom Cedar Rapids Community School District in Iowa, for example, paid up to minimize student disruption.
“There’s been a trend over the past year or so where people are less and less likely to pay to prevent the release of data,” said Wilkinson. “But even if you do pay the ransom, there is no guarantee that the data is not going to get out there. You are dealing with criminals who don’t have much morality.”
Combating cybercrime
To combat cybercrime, Wilkinson recommends outsourcing security services. Managed security service providers (MSSPs) typically have more robust security safeguards that organizations such as school districts can use to lessen the burden on their IT departments. He also recommended multi-factor authentication (MFA) as another vital technology to implement. MFA lessens the blow if someone in the organization falls prey to phishing. By adding an extra step to the process, such as requiring that a text code be entered to gain access to critical systems, cybercriminals can do far less damage if they obtain an email password or other credentials.
Phishing simulations & training
If a ransomware notification appears on your screen, Wilkinson said that upon identifying the incident, immediately institute containment measures to prevent things from worsening.
“I’ve had situations where clients identified someone inside their network but were reluctant to shut systems down or restrict internet access,” he said. “24 hours later, they found everything was encrypted, and the problem was much worse.”
Threat identification must also differentiate different kinds of threats. Detecting a malicious file or URL is one thing — one only needs to delete it. But other threats mean that malware is already running within the enterprise. Wilkinson cautioned that it is not uncommon for actions to be taken to address the symptoms of malware rather than rooting it out completely and ensuring it will not reappear.
“Have an incident response plan in place so you are prepared in advance with a playbook on how you handle common incidents,” said Wilkinson. “Having decision trees and guidance in the plan can help you in stressful situations.”
Gathering evidence
Deleting malware and infected files may get rid of the immediate problem. But another vital step is to preserve evidence of the attack. Remember that initial access often happens two weeks to two months before ransomware encryption occurs. Exfiltration generally happens before encryption. If you’re just cleaning up, wiping systems, and rebuilding them, you’re potentially losing that evidence around the exfiltration.
“If you are facing litigation, you want to figure out exactly what the attackers took from a forensics perspective,” said Wilkinson. “If the systems haven’t been wiped, most of the time, we can figure out what’s been taken and what the threat actor has been doing.”
That makes it possible to piece everything together. For example, you can detect that cybercriminals browsed through your financial team's share file, zipped everything, saved it to a computer, and uploaded it. Such findings play a key role in forensic investigation and subsequent legal actions.
Phishing simulations & training
Key steps to minimize cybercrime
There is good advice above on what to do during a ransomware attack. Perhaps more importantly, though, are steps that can be taken to prevent them. Here are a few of the basics:
-
Maintain comprehensive backups of all data and store it in multiple locations. Ensure those backups are protected from infection by ransomware and other malware.
-
Institute security awareness training of all employees regularly to keep them up to date on the latest strategies employed by ransomware gangs.
-
Implement zero trust access policies so that even if one credential is breached, it remains difficult for threat actors to infiltrate other systems.
-
Conduct regular vulnerability scans of all systems and endpoints
-
Deploy automated patch management software to deliver patches rapidly. Prioritize those patches with the highest security threat rating.
Watch the full episode of the Cyber Work Podcast with guest Mike Wilkinson of Avertium.