US Agencies Warn About ‘Vice Society’ Ransomware Gang Targeting Education Sector

The FBI, CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are sounding the alarm over increased targeting of a ransomware gang on the education sector.

In a joint advisory this week, the three agencies warn that a threat actor identified as “Vice Society” has “disproportionately targeted the education sector with ransomware attacks.”

Ransomware attacks targeting the education sector, particularly K-12, are not uncommon, and U.S. government agencies expect an increase in attacks as the 2022/2023 school year begins .

“School districts with limited cybersecurity capabilities and limited resources are often the most vulnerable; however, the opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk,” said the advisory bed.

The advisory was released the same day a huge Los Angeles school district was hit by a ransomware attack that caused an unprecedented shutdown of its IT systems.

The impact of ransomware attacks on K-12 schools can range from the cancellation of school days to restricted access to data, delays in exams and the theft of students’ personal information. and to staff.

“Kindergarten through 12th grade schools may be considered particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers,” state the FBI, CISA and the MS-ISAC.

Active since the summer of 2021, Vice Society is a hacking group that engages in intrusion, data exfiltration, and extortion, and uses various ransomware families, including versions of Hello Kitty/ Five Hands and Zeppelin ransomware, the joint advisory reads.

Vice Society is likely gaining access to targeted networks via compromised credentials by exploiting web-accessible applications. Then tools like SystemBC, PowerShell Empire, and Cobalt Strike are used for lateral movement.

Before deploying the ransomware, the adversary explores the hacked network to identify and exfiltrate data of interest, which is then used to pressure the victim into paying a ransom.

The threat actor exploited the PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) for elevation of privilege and the use of scheduled tasks and autostart registry keys for persistence.

The hacking group also uses DLL sideloading and attempts to evade detection by using process injection and masquerading their malware as legitimate files.

“Vice Society actors have been observed increasing privileges, then accessing domain administrator accounts and running scripts to change victim network account passwords to prevent the victim from remedying,” the reports say. US agencies.

Organizations are advised to keep offline backups of data, encrypt backups, monitor external remote connections, restrict execution of unknown programs, implement multi-factor authentication, audit accounts users, implement network segmentation, monitor abnormal activity, disable unused ports, keep systems and applications updated, and implement a recovery plan.

Related: CISA and FBI Warn Organizations of Zeppelin Ransomware Attacks

Related: CISA and FBI issue warnings about WhisperGate and HermeticWiper attacks

Related: CISA and FBI warn of potential attacks on critical infrastructure during the holidays

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Comments are closed.