Vice Society, the cybercriminal gang responsible for the attack, is believed to have used internal login credentials leaked on the dark web to access LAUSD’s network and launch the ransomware attack.

Twenty-three internal LAUSD credentials were leaked on the dark web leading up to the attack, with at least one set granting access to LAUSD’s Virtual Private Network (VPN). Gaining access to a target’s VPN is usually the initial phase of a ransomware attack since these solutions are gateways to other sensitive network regions where malware can be installed.

How did the LAUSD Ransomware Attack Happen?

On September 3, 2022, the Los Angeles Unified School District (LAUSD) fell victim to a ransomware attack launched by a Russian-speaking ransomware gang known as VIce Society. Vice Society didn’t immediately reveal the true impact of the attack, and without any evidence at the time to confirm otherwise, Superintendent Alberto Carvalho made an idealistic announcement that any accessed data most likely didn’t include personally identifiable information.

Two weeks later, the hackers issued a ransom demand with a three-day ultimatum. At the time, the impact of the attack was still unknown. The offer in the ransom demand was likely the reversal of critical system encryptions caused by the attack.

Vice Society's ransom threat to LAUSD
Vice Society's ransom threat to LAUSD
During a single-extortion ransomware attack, hackers encrypt critical systems and only offer to reinstate system access if a ransom is paid.
Vice Society revealing to cybersecurity reporter Jeremy Kirk that they were responsible for the LAUSD ransomware attack to cybersecurity reporter Jeremy Kirk.
Vice Society revealing to cybersecurity reporter Jeremy Kirk that they were responsible for the LAUSD ransomware attack to cybersecurity reporter Jeremy Kirk.

LAUSD, however, is a double-extortion ransomware gang, meaning that as well as encrypting critical computer systems, the group steals sensitive data and threatens to sell it if a ransom isn’t paid. These tactics pressure victims into making a ransom payment on two fronts:

  1. The longer critical systems remain encrypted, the longer a business is unable to operate - which could result in SLA violations.
  2. If sensitive customer data is leaked, a business could suffer enormous reputational damage.

In this instance, it appears like Vice Society didn’t make its second extorsion threat clear in its ransom demand.

LAUSD, rightfully following the FBI’s strict no-ransom payment advice, denied the ransom payment, resulting in Vice Society publishing the stolen data on their ransomware leak blog hosted on the dark web.

Superintendent Alberto Carvalho announcing the LAUSD data leak
Superintendent Alberto Carvalho announcing the LAUSD data leak

This data leak finally proved that sensitive data was stolen during the attack, highlighting the connection between ransomware attacks and data breaches. Vice Society revealed to Bleeping Computer that 500GB of data was stolen from LAUSD’s systems, which may include Social Security Numbers, Passport data, and other sensitive information.

Upguard free security score request


Click here
to request your free instant security score.

Vice Society is known for targeting the education sector

Learn how to reduce the impact of ransomware attacks >

The incident has escalated to the point of requiring assistance from the FBI, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, and local law enforcement.

Not the First Ransomware Attempt

This isn’t the first time LAUSD was targeted by Vice Society. In 2021, the ransomware gang infected a computer belonging to the school’s psychologist with Trickbot - malware designed to steal credentials and financial information. Security firm, Hold Security, advised LAUSD of the attack, but it's unclear if the specific vulnerabilities that facilitated that attack were addressed.

Cybersecurity reporter, Jeremy Kirk, announcing that this isn't the first time LAUSD was targeted by Vice Society
Cybersecurity reporter, Jeremy Kirk, announcing that this isn't the first time LAUSD was targeted by Vice Society

2 Key Lessons from the LAUSD Hack

Two important lessons can be learned from this attack. By applying them to your current cybersecurity program, your business could significantly minimize the impact or completely prevent a security incident like the LAUSD hack.

1. Implement a Data Leak Service

A data leak detection service notifies a business when its sensitive data has been leaked on the dark web so that compromised accounts can be rapidly secured. The rapid remediation response that’s possible with such a service decrease the chances of compromised accounts being targeted in follow-up attacks.

Such a service might have helped LAUSD detect and secure the leaked internal credentials that likely facilitated this ransomware attack.

Request a free demo of UpGuard’s data leak detection service.

2. Enforce MFA Across all Corporate Accounts

In response to the attack, LAUSD announced the accelerated rollout of Multi-Factor Authentication (MFA) on all corporate accounts.

LAUSD announcing that it will be expediting the rollout of MFA
LAUSD announcing that it will be expediting the rollout of MFA

MFA inserts additional identity verification steps within a login process, making it difficult for hackers to log into a network even with stolen credentials. However, MFA can be exploited; so if you implement this security control, ensure you account for all common bypass methods.

Text reading - LAUSD Security Report

See how your organization's security posture compares to LAUSD's.

View LAUSD's security report.

Learn about other Famous Data Breaches:

Ready to see
UpGuard in action?