The FBI, CISA and the MS-ISAC issued a joint advisory on Tuesday to instruct IT administrators for schools on how to defend against Vice Society ransomware attacks.
The education sector, most notably kindergarten through 12th grade (K-12) institutions, have been frequently targeted by ransomware attacks in recent years, according to the notice.
As a result, these attacks have caused restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information concerning students and staff, according to the advisory.
“The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks,” read the notice. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.
“K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”
According to the fact sheet in the advisory, Vice Society operators don’t use their own ransomware strain. Instead, they alternate between Hello Kitty/Five Hands and Zeppelin ransomware, and may use other variants in the future, the notice warned.
The cybercrime group supposedly gains initial network access through compromised credentials by exploiting internet-facing applications.
“Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom,” said the advisory. “Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content.”
The data sheet also included several more details concerning Vice Society and provided system administrators with a detailed list of indicators of compromise (IOCs) to know what clues to look for.