Protecting K-12 schools from cyber threats: The case of Vice Society
A notorious threat group, Vice Society, has made a name for itself by targeting K-12 school systems. For example, it breached the LA County Unified School District (LAUSD) in September 2022 at the start of the academic year. The second largest school district in the U.S. — one with 640,000 students and over a thousand schools — was the victim of a ransomware attack.
Mike Wilkinson, leader of the digital forensics and incident response team at Avertium, explained that this incident highlighted the growing sophistication of the cybercrime “supply chain.” Instead of one group developing the software, infiltrating the system, installing the malware and holding the school district to ransom, Vice Society obtained the ransomware technology from other developers, for which it pays a fee based on the amount of the ransom received.
ChatGPT training built for everyone
“School groups tend to be softer targets that haven’t traditionally had a strong focus on security, although that is gradually changing,” said Wilkinson. “As schools exist to serve their students, there tends to be extra pressure to get a ransom paid, which might be part of the reason for a general rise in attacks on schools.”
In the LAUSD attack, Vice Society exfiltrated 500 GBs of personal information from students and threatened to leak it to the public.
“Through our ongoing investigation, we determined that between July 31, 2022, and September 3, 2022, an unauthorized actor accessed and acquired certain files maintained on our servers," said the school district in their collectively-written data breach notification letters sent to affected individuals. "Those files contained the names, addresses and Social Security numbers of contractor and subcontractor employees and other affiliated individuals."
The school district decided not to pay the ransom as there was no guarantee that hackers wouldn’t leak the data anyway. The district believed they could use the money for more beneficial purposes, such as funding different student needs and their education.
That’s a smart decision in many ways. Numerous cases are on record of organizations paying the ransom and not retrieving their data — or finding that the bad guys had retained a back door into their systems and mounted yet another ransomware attack a short time later.
However, many decide to pay the ransom Cedar Rapids Community School District in Iowa, for example, paid up to minimize student disruption.
“There’s been a trend over the past year or so where people are less and less likely to pay to prevent the release of data,” said Wilkinson. “But even if you do pay the ransom, there is no guarantee that the data is not going to get out there. You are dealing with criminals who don’t have much morality.”
Combating cybercrime
To combat cybercrime, Wilkinson recommends outsourcing security services. Managed security service providers (MSSPs) typically have more robust security safeguards that organizations such as school districts can use to lessen the burden on their IT departments. He also recommended multi-factor authentication (MFA) as another vital technology to implement. MFA lessens the blow if someone in the organization falls prey to phishing. By adding an extra step to the process, such as requiring that a text code be entered to gain access to critical systems, cybercriminals can do far less damage if they obtain an email password or other credentials.
Phishing simulations & training
If a ransomware notification appears on your screen, Wilkinson said that upon identifying the incident, immediately institute containment measures to prevent things from worsening.
“I’ve had situations where clients identified someone inside their network but were reluctant to shut systems down or restrict internet access,” he said. “24 hours later, they found everything was encrypted, and the problem was much worse.”
Threat identification must also differentiate different kinds of threats. Detecting a malicious file or URL is one thing — one only needs to delete it. But other threats mean that malware is already running within the enterprise. Wilkinson cautioned that it is not uncommon for actions to be taken to address the symptoms of malware rather than rooting it out completely and ensuring it will not reappear.
“Have an incident response plan in place so you are prepared in advance with a playbook on how you handle common incidents,” said Wilkinson. “Having decision trees and guidance in the plan can help you in stressful situations.”
Gathering evidence
Deleting malware and infected files may get rid of the immediate problem. But another vital step is to preserve evidence of the attack. Remember that initial access often happens two weeks to two months before ransomware encryption occurs. Exfiltration generally happens before encryption. If you’re just cleaning up, wiping systems, and rebuilding them, you’re potentially losing that evidence around the exfiltration.
“If you are facing litigation, you want to figure out exactly what the attackers took from a forensics perspective,” said Wilkinson. “If the systems haven’t been wiped, most of the time, we can figure out what’s been taken and what the threat actor has been doing.”
That makes it possible to piece everything together. For example, you can detect that cybercriminals browsed through your financial team's share file, zipped everything, saved it to a computer, and uploaded it. Such findings play a key role in forensic investigation and subsequent legal actions.
Phishing simulations & training
Key steps to minimize cybercrime
There is good advice above on what to do during a ransomware attack. Perhaps more importantly, though, are steps that can be taken to prevent them. Here are a few of the basics:
-
Maintain comprehensive backups of all data and store it in multiple locations. Ensure those backups are protected from infection by ransomware and other malware.
-
Institute security awareness training of all employees regularly to keep them up to date on the latest strategies employed by ransomware gangs.
-
Implement zero trust access policies so that even if one credential is breached, it remains difficult for threat actors to infiltrate other systems.
-
Conduct regular vulnerability scans of all systems and endpoints
-
Deploy automated patch management software to deliver patches rapidly. Prioritize those patches with the highest security threat rating.
Watch the full episode of the Cyber Work Podcast with guest Mike Wilkinson of Avertium.
ChatGPT training
In this Series
- Protecting K-12 schools from cyber threats: The case of Vice Society
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization