FBI Arms Schools with Knowledge on How to Fight Vice Society Ransomware Attacks

The FBI, CISA and the MS-ISAC have issued a joint advisory to instruct IT administrators in the education sectors on how to defend against Vice Society ransomware attacks.

The education sector, especially kindergarten through 12th grade (K-12) institutions, have been a frequent target of ransomware attacks in recent years, according to the notice.

These attacks have often resulted in restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff, the advisory states.

“The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks,” reads the notice. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”

According to the fact sheet, Vice Society operators don’t use a ransomware strain of their own. Rather, they switch between Hello Kitty/Five Hands and Zeppelin ransomware, and may deploy other variants in the future, the notice warns.

The cybercrime group is thought to gain initial network access through compromised credentials by exploiting internet-facing applications.

“Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom,” the advisory states. “Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation (WMI) service and tainting shared content.”

The data sheet includes several more technical details of their modus operandi, and offers system administrators a long list of indicators of compromise (IOCs) to know what clues to look for.

An even longer list of mitigations is offered, with the feds urging admins to maintain offline backups and ensure all backup data is encrypted and immutable, in case a ransomware infection does occur.

As usual, the FBI strongly advises schools to refuse to cooperate with cybercriminals, as paying ransom does not guarantee files will be recovered. Payment may also embolden cybercrooks to keep doing what they do, the feds warn.