A ransomware gang that has been increasingly disproportionately targeting the education sector is the subject of a joint warning issued by the FBI, CISA, and MS-ISAC.
The Vice Society ransomware group has been breaking into schools and colleges, exfiltrating sensitive data, and demanding ransom payments. The threat? If the extortionists aren’t paid, you may not be able to unlock your encrypted files, and the attackers may leak the information they have stolen from your servers online.
According to the advisory, Vice Society most likely gains its initial access to a network through compromised login credentials by exploiting unspecified internet-facing applications.
Once inside the network, the hackers spend their time exploring the IT systems they have compromised, identifying further opportunities to increase their access to sensitive data, and exfiltrating information with the intention of releasing it if a ransom payment is not forthcoming.
The group’s modus operandi can involve the exploitation of known vulnerabilities (such as the so-called PrintNightmare vulnerability found in Windows’ print spooler service) to spread laterally within an organisation.
Once sensitive data has been stolen, the group launches the ransomware attack which encrypts data and displays a ransom demand, saying that documents, photographs and databases have been stolen and encrypted, and that the contents of the files will be shared on an underground website if negotiations do not begin within seven days.
Past victims of the Vice Society attacks have included school districts and educational establishments in the United States, United Kingdom, Australia, and elsewhere.
The criminals attempt to maximise their profits by urging their victims not to seek help from third party recovery services as it “may cause increased price (they add their fee to ours) or you can become a victim of a scam.”
Unfortunately, the criminals behind the Vice Society group appear to be true to their word. On its site based on the dark web, Vice Society lists past victims (the group sardonically calls them “partners”) and links to files stolen from each.
A quick perusal of the leak archive of one of Vice Society’s many educational “partners” in revealed hundreds of passport scans which appeared to belong to students who attended the UK-based school.
As well as strongly discouraging victims from paying any ransom to Vice Society, the FBI is also urging victims to share information that might help disrupt or even dismantle the criminal group:
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
For more information, including indicators of compromise and mitigations please see the joint advisory on the CISA website.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.