Vice Society, the cybercriminal gang responsible for the attack, is believed to have used internal login credentials leaked on the dark web to access LAUSD’s network and launch the ransomware attack.
Twenty-three internal LAUSD credentials were leaked on the dark web leading up to the attack, with at least one set granting access to LAUSD’s Virtual Private Network (VPN). Gaining access to a target’s VPN is usually the initial phase of a ransomware attack since these solutions are gateways to other sensitive network regions where malware can be installed.
How did the LAUSD Ransomware Attack Happen?
On September 3, 2022, the Los Angeles Unified School District (LAUSD) fell victim to a ransomware attack launched by a Russian-speaking ransomware gang known as VIce Society. Vice Society didn’t immediately reveal the true impact of the attack, and without any evidence at the time to confirm otherwise, Superintendent Alberto Carvalho made an idealistic announcement that any accessed data most likely didn’t include personally identifiable information.
Two weeks later, the hackers issued a ransom demand with a three-day ultimatum. At the time, the impact of the attack was still unknown. The offer in the ransom demand was likely the reversal of critical system encryptions caused by the attack.
During a single-extortion ransomware attack, hackers encrypt critical systems and only offer to reinstate system access if a ransom is paid.
LAUSD, however, is a double-extortion ransomware gang, meaning that as well as encrypting critical computer systems, the group steals sensitive data and threatens to sell it if a ransom isn’t paid. These tactics pressure victims into making a ransom payment on two fronts:
- The longer critical systems remain encrypted, the longer a business is unable to operate - which could result in SLA violations.
- If sensitive customer data is leaked, a business could suffer enormous reputational damage.
In this instance, it appears like Vice Society didn’t make its second extorsion threat clear in its ransom demand.
LAUSD, rightfully following the FBI’s strict no-ransom payment advice, denied the ransom payment, resulting in Vice Society publishing the stolen data on their ransomware leak blog hosted on the dark web.
This data leak finally proved that sensitive data was stolen during the attack, highlighting the connection between ransomware attacks and data breaches. Vice Society revealed to Bleeping Computer that 500GB of data was stolen from LAUSD’s systems, which may include Social Security Numbers, Passport data, and other sensitive information.
Vice Society is known for targeting the education sector
The incident has escalated to the point of requiring assistance from the FBI, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, and local law enforcement.
Not the First Ransomware Attempt
This isn’t the first time LAUSD was targeted by Vice Society. In 2021, the ransomware gang infected a computer belonging to the school’s psychologist with Trickbot - malware designed to steal credentials and financial information. Security firm, Hold Security, advised LAUSD of the attack, but it's unclear if the specific vulnerabilities that facilitated that attack were addressed.
2 Key Lessons from the LAUSD Hack
Two important lessons can be learned from this attack. By applying them to your current cybersecurity program, your business could significantly minimize the impact or completely prevent a security incident like the LAUSD hack.
1. Implement a Data Leak Service
A data leak detection service notifies a business when its sensitive data has been leaked on the dark web so that compromised accounts can be rapidly secured. The rapid remediation response that’s possible with such a service decrease the chances of compromised accounts being targeted in follow-up attacks.
Such a service might have helped LAUSD detect and secure the leaked internal credentials that likely facilitated this ransomware attack.
2. Enforce MFA Across all Corporate Accounts
In response to the attack, LAUSD announced the accelerated rollout of Multi-Factor Authentication (MFA) on all corporate accounts.
MFA inserts additional identity verification steps within a login process, making it difficult for hackers to log into a network even with stolen credentials. However, MFA can be exploited; so if you implement this security control, ensure you account for all common bypass methods.
See how your organization's security posture compares to LAUSD's.