Hackers release data after LAUSD refuses to pay ransom

Update on 2022-10-09: Hackers release data after LAUSD refuses to pay ransom

Brutal week for hundreds of thousands of students across the Los Angeles Unified School District (LAUSD), the second largest school district in the U.S., which refused to pay hackers following a ransomware attack in September, and saw hackers release a cache of stolen documents from the school district’s systems. The full extent of the data drop isn’t yet known, but reporters found Social Security numbers and other sensitive student health-related data. Vice Society, the ransomware group blamed for the attack, claimed CISA stalled the release of data; the feds have long advised victims not to pay the ransom fearing it’ll lead to more attacks. Motherboard took a deep dive at ransomware affecting U.S. schools by filing dozens of FOIAs to understand how districts and school systems handle ransomware attacks, while the The Guardian looks at the self-taught ransomware hunters who fight back by building decryption tools that can unlock victims’ scrambled files for free. Read more:

Update on 2022-10-03

The Vice Society ransomware group leaked the data it stole from Los Angeles Unified School District (LAUSD) after it denied a ransom. The group compromised the network last month. Read more: Ransomware gang leaks data stolen from LAUSD school system

Update on 2022-09-22

In a new update, the hackers who attacked the Los Angeles Unified School District made a ransom demand. However, the officials have not made any response to the demand. Read more: L.A. Unified cyberattackers demand ransom

Update on 2022-09-12: L.A. school district hit by ransomware

The Los Angeles Unified School District, or LAUSD, is the second largest school district in the U.S., and this week ahead it was hit by ransomware as its 6,000 students were preparing to go back after the long Labor Day holiday. Students returned but IT systems were down and a mass password reset was initiated — though students struggled to access basic learning tools. Vice Society, a Russian-language extortion group, claimed responsibility for the attack, two days after CISA put out an alert warning that the group primarily targets the education sector. The FBI and DHS have joined in LAUSD’s investigation, per the Los Angeles Times. It’s not known what data, if any, was taken, but employee payroll and healthcare are not impacted. This is an incident that will likely spill into the coming week, if not longer, as remediation continues.

Read more in

Overview

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a joint advisory warning that a ransomware threat actor known as Vice Society is targeting the education sector. The warning comes on the heels of a ransomware attack that hit the Los Angeles (California) Unified School District (LAUSD) over the Labor Day weekend; LAUSD schools opened as planned on Tuesday, September 6. An anonymous source said that in the months preceding the attack, LAUSD network account credentials had been offered on the Dark Web.

Note

If you look at multi-year attack data, you see that attackers target every sector that has vulnerabilities – which means they target all sectors. Denial-of-service attacks, which includes ransomware, often do target specific times when targets may feel a sense of urgency – holiday shopping, start of school year, tax filing days, etc. But, most ransomware attacks are also data exfiltration type attacks which create their own urgency. Bottom line: use data over headlines and focus on increasing basic security hygiene as “4-seasons” protection.
No matter what your sector, you should be prepared for attacks. You should have a plan in place for recovery that you’ve tested, verified your backups and ensured you’re keeping systems updated, particularly boundary control devices. Make sure that all your internet accessible entry points use MFA, for everyone. Treat that VIP or Administrator account as just as likely to be compromised, no matter how careful they are or how strong the password. A level playing field also helps buy-in. If you’re looking to expose more services to the Internet, ensure security posture assessment, and remediation, is required in the process.