A ransomware attack on the Los Angeles Unified School District in the first week of September crippled digital operations across the system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system didn’t pay a ransom.
After the school system refused to pony up, the hackers released the trove, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident.
That’s Vice Society for you.
The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions since emerging at the end of 2020. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals—a sector long-plagued by ransomware attacks, but one that some hacking groups pledged not to target at the height of the COVID-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society’s activity has been just unremarkable enough to keep the group out of the spotlight.
“We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”
Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims’ systems and may sometimes buy a foot in the door from criminal actors known as “initial access” brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization’s own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware.
Shortly after the LAUSD attack, the United States Cybersecurity and Infrastructure Security Agency and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … [The] actors do not use a ransomware variant of unique origin.”
In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victims between North America, South America, and Europe.