Ransomware group targeted dozens of schools in 2022, new report finds

More than 40 educational organizations, including 15 in the United States, suffered ransomware attacks launched by the cybercriminal group known as Vice Society, researchers at cybersecurity firm Palo Alto Networks revealed in a report published Tuesday and obtained by CBS News.

Researchers from Palo Alto Network's threat research team, Unit 42, found that hackers targeted the United States in the largest numbers – followed by the United Kingdom, Spain, France, Brazil, Germany and then Italy.

The report tracked how the group, which first surfaced in the summer of 2021, uses a double-extortion playbook. Not only does the consortium of cybercriminals hold data hostage for a hefty fee, but it also threatens to leak the data online.

"Education is so vulnerable to this type of attack because oftentimes organizations don't have the best cybersecurity in place and the best funding for it," said Ryan Olson, vice president of threat intelligence at Palo Alto Networks. "Schools can't compete with a bank or a tech company as far as what they can buy and deploy, and that means that a threat actor who gets into that network is facing a lot less, a lot fewer barriers to go in and launch their attack.

The threat actors have been on the radar of federal law enforcement for months.

Earlier this year, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint bulletin warning that "the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks" in recent years.

"Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff."

The intelligence memo singled out Vice Society for "disproportionately targeting the education sector with ransomware attacks."

And while comprehensive ransomware data proves hard to come by, cybersecurity researchers warn that schools – particularly K-12 institutions – continue to attract the attention of ransomware gangs.

Most schools are not required by law to report cyberattacks to the public, but researchers at K-12 Security Information Exchange say that more than 1,200 cybersecurity incidents have occurred since 2016 at public school districts, nationwide. Earlier this year, the Virginia-based nonprofit published a report accounting for at least 209 ransomware attacks against K-12 institutions from 2016-2021.

The new findings by Palo Alto Networks revealed "noticeable spikes" in attacks perpetrated by Vice Society during the spring and fall months, an indication the group may be "timing campaigns to coincide with this sector's unique calendar year."

"You could guess attackers just happened to hit in the fall, but it's much more likely they were thoughtful about making an impact as the schools are beginning," said Olson.

Vice Society operates unlike other notorious ransomware groups, opting out of the ransomware-as-a-service (RaaS) model, in which criminal gangs sell or rent their hacking software or services to the highest bidder, according to researchers. Instead, the group utilizes pre-existing ransomware – including well-known variants HelloKitty and Zeppelin – to extort victims.

Researchers at Palo Alto Networks have not tied the group's members to a specific geographic location, though posts and communications from the cybercriminal gang have appeared on the dark web in both English and Russian.

Researchers estimate the threat actors "have impacted more than 100 organizations in total," including 40 cases impacting educational organizations, 13 targeting health care and 12 targeting state and local governments.

According to Palo Alto Networks' analysis, of the schools and education organizations targeted by the cybercriminal group, 15 are based in the U.S., with 10 located in the United Kingdom. Other incidents are sprinkled across Colombia, Brazil, France, Malaysia, Austria, Canada and Ukraine.

The report noted, "the group appears to be targeting more educational organizations based in California."

Earlier this year, a ransomware attack targeted Los Angeles Unified School District, the second largest school district in the U.S. Although school administrators have not confirmed the actors behind the incident, Vice Society has publicly claimed credit for the Labor Day weekend breach.

The district characterized the cyberattack as a "significant disruption to our system's infrastructure," with 500 gigabytes of data stolen. Still, classes continued.

"If you hit a company and shut down their financial payment system, that's going to be frustrating for that company," Olson said. "But if a school starts to shut down in an area, it is going to impact all of the students, teachers, their parents. It's absolutely going to be news. That's going to put a lot of pressure on administrators to get things working again. Ransomware actors want people in a position where they need to get operations going again quickly, because that's what's going to make them pay."

After LAUSD administrators refused to pay a ransom, cybercriminals posted more than 250,000 files and images on the dark web, including potentially sensitive information, according to the cybersecurity firm Checkpoint Research.

"Vice Society and its consistent targeting of the education industry vertical, particularly around the September time frame, serves as a warning that this group has shaped their campaigns to take advantage of the school year in the U.S.," Palo Alto Networks said in its report. "It's likely they'll maintain use of the tactics to impact the cyberthreat landscape moving forward, as long as their activities continue to be lucrative for them."  

Earlier this year, CISA previewed a plan to enhance cybersecurity protections in local communities, with a focus on the particularly vulnerable: K-12 schools, hospitals and water treatment facilities. CISA Director Jen Easterly noted in October that not all organizations are "investing millions and billions of dollars like some in the finance and energy [sectors] are."

Homeland Security Secretary Alejandro Mayorkas said Monday at a Center for Strategic and International Studies event in Washington, D.C., "Even the smallest organizations stand on the frontlines defending against the most sophisticated nation states and non-nation state threats." 

The cabinet secretary warned that cyberattacks continue to "[grow] in number and gravity," allowing U.S. adversaries to launch "a new kind of warfare" with a single keystroke.

For their part, Olson said researchers at Palo Alto Networks are currently developing better cybersecurity tools to help preempt attacks launched by Vice Society. "One of the things we looked at is, how long were threat actors inside the network before they actually launched an attack?" Olson said. His team identified an average "dwell time" of six days.

"Tracking all of this information is what allows us to respond more quickly and more effectively to incident response cases," Olsen said.