A criminal syndicate has set a Monday deadline for the Los Angeles public school system to pay a ransom or publish its data on the dark web, potentially exposing confidential student and employee information.
In response, the Superintendent of LA Schools. Alberto Carvalho said Friday the district would not pay the ransom or negotiate, following the advice of law enforcement and federal officials.
Deadline was posted on the dark website run by Vice Society, which had informally confirmed to at least three reporters that it was responsible for the hack discovered by LA Unified while underway on September 3, during on Labor Day weekend when most district employees were off work for four days.
District and law enforcement officials declined to name Vice Society as the culprit, but federal officials issued a warning to educational institutions about the union immediately after the attack on the second-largest school system in the country.
Carvalho acknowledged the attack came from a group familiar with law enforcement and known to attack school systems. On Friday, Carvalho did not dispute media accounts identifying Vice Society. He continued his previous practice of not naming the amount requested.
“What I can tell you is that the request – any request – would be absurd,” Carvalho said. “But that level of demand was, quite frankly, insulting. And we are not about to enter into negotiations with this type of entity.
In a statement released later, he added, “Paying a ransom never guarantees full data recovery, and Los Angeles Unified believes public money is better spent on our students than surrendering to a union.” infamous and illicit crime.
The claim of responsibility became official with a publication on the dark web. A screenshot shows the Vice Society logo and its slogan “ransomware with love”. The site lists as “partners” the entities it claims to have victimized. These now include the LA Unified School District, which is listed with the district logo.
“Articles will be published London time on October 4, 2022 at 12 noon,” the webpage reads. A countdown marks the time until the deadline. Midnight in London would translate to 4 p.m. Monday in Los Angeles.
This year, hackers have attacked at least 27 school districts and 28 US colleges, according to cybersecurity expert Brett Callow, threat analyst for digital security firm Emsisoft. At least 36 of those organizations had data stolen and posted it online and at least two districts and one college paid off the attackers, Callow said.
Vice Society alone has impacted at least nine school districts and colleges or universities so far this year, according to Callow’s tally.
“What we know now is that all of the data Vice Society has will be released on the dark web in just under four days,” Callow said. “We don’t know what that data is though, how many there is or, for that matter, if it’s a bluff and they didn’t get any data.”
When the attack was discovered, district technicians quickly shut down all IT operations to limit the damage and officials were able to open campuses as planned on Tuesday after the holiday weekend. The shutdown and the hack combined to result in a week of significant disruption, as more than 600,000 users had to reset their passwords and systems were gradually checked for breaches and restored.
During this reboot, technicians found so-called tripwires that could have led to more structural damage or further data theft. Restoration of district systems is underway, but there was also another element of the attack: data exfiltration.
The hackers claim to have stolen 500 GB of data – a claim impossible to verify unless the hackers return a copy to district officials as proof. This is the information that the union says it is ready to make public.
Carvalho repeated on Friday that he believed confidential employee information had not been stolen. It is less secure about student information, which could include names, grades, class schedules, disciplinary records, and disability status.
Either way, he said, the district will provide assistance to anyone potentially harmed by the data release, including setting up an “incident response” line: 855-926-1129. Its hours of operation are 6 a.m. to 3:30 p.m., Monday through Friday, excluding major US holidays.
The district has also established a cybersecurity task force, and the school board has granted Carvalho emergency powers to take any related action it deems necessary.
The most damaged internal systems are in the facilities division. Carvalho said there was a need to create workarounds so contractors could continue to get paid and repairs and construction could continue on schedule.
In response to the hack, the school system worked with law enforcement, the federal government, and private and in-house experts.
Cybersecurity expert Jeremy Kirk said data theft often happens first in an attack, going unnoticed, before hackers launch a frontal assault to encrypt and destroy entire computer systems.
“Organizations and businesses are being extorted by ransomware gangs these days in two ways,” said Kirk, security and technology editor for Information Security Media Group. “First, they are asked to pay for decryption keys to recover their scrambled data. If that doesn’t work, they are asked to pay to stop the public dissemination of data that a ransomware group has stolen before encrypting the data.
