A criminal syndicate has given the Los Angeles public school system a Monday deadline to pay a ransom or publish its data on the dark web, potentially exposing students and staff confidential information.
In response, LA Schools Supt. Alberto Carvalho said Friday that the district would not pay the ransom and would not negotiate, on the advice of law enforcement and federal officials.
The deadline was published on the dark website of the Vice Society, which had informally confirmed to at least three reporters that it was responsible for the hack that LA Unified uncovered while it was underway on September 3 during Labor Day weekend Most district employees were off work for four days.
County and law enforcement officials have declined to blame Vice Society, but federal officials sent out an alert to educational institutions about the syndicate immediately after the attack on the country’s second-largest school system.
Carvalho has acknowledged the attack came from a group trusted by law enforcement and known to target school systems. On Friday, Carvalho denied any media reports identifying Vice Society. He continued his previous practice of not disclosing the amount claimed.
“What I can tell you is that the demand – any demand – would be absurd,” Carvalho said. “But that request was, frankly, insulting. And we will not enter into negotiations with this type of company.”
The letter of confession became official with a posting on the Darknet. A Screenshot shows the Vice Society logo and its catchphrase “ransomware with love”. The site lists as “affiliates” the entities she allegedly victimized. This now includes the LA Unified School District, which is listed along with the district logo.
“The papers will be released by 00:00 London time on 4 October 2022,” the website reads. A countdown clock ticks down to the deadline. Midnight in London would mean Monday 4pm in Los Angeles.
Hackers have targeted at least 27 U.S. school districts and 28 colleges this year, according to cybersecurity expert Brett Callow, a threat analyst for digital security company Emsisoft. At least 36 of those organizations had stolen data and published it online, and at least two counties and one college paid off the attackers, Callow said.
According to Callow’s tally, the Vice Society alone has hit at least nine school districts and colleges or universities so far this year.
“What we know now is that all of the data that Vice Society has will be released on the dark web in a little under four days,” Callow said. “However, we don’t know what the data is, how much of it there is, or if this is a bluff and they didn’t get any data at all.”
When the attack was discovered, the district’s technicians quickly shut down all computer operations to limit the damage, and officials were able to open the campus on Tuesday after the holiday weekend as planned. The shutdown and hack combined to create a highly disruptive week as more than 600,000 users had to reset passwords and systems were progressively scanned for breaches and restored.
During this reboot, technicians found so-called tripwires left behind that could have led to further structural damage or further data theft. Recovery of the district systems is underway, but there was another element of the attack: exfiltration of data.
The hackers claim to have stolen 500 gigabytes of data — a claim that’s impossible to verify unless the hackers have returned a copy to county officials as proof. This is the information the syndicate agrees to release publicly.
Carvalho reiterated on Friday that he believes confidential information was not stolen from employees. He is less certain about student information, which might include names, grades, class schedules, disciplinary records, and disability status.
Anyhow, he said the district will help anyone who may be harmed by the release of data, including by setting up a hotline. The district has also established a cybersecurity task force, and the school board has granted emergency powers to Carvalho to take any related steps he deems necessary.
The most damaged internal systems were in the facilities department. Carvalho said it was necessary to create workarounds so contractors could keep getting paid and repairs and construction could go ahead as planned.
In response to the hack, the school system has worked with law enforcement, the federal government, and experts from both the private and domestic sectors.
Cybersecurity expert Jeremy Kirk said data theft often happens first during an attack and goes unnoticed before the hackers launch a frontal attack to encrypt and cripple entire computer systems.
“Organizations and businesses are being blackmailed by ransomware gangs in two ways today,” said Kirk, editor-in-chief of security and technology at Information Security Media Group. “First, they are asked to pay to receive decryption keys to recover their encrypted data. If that doesn’t work, they’re asked to pay to stop the public sharing of data that a ransomware group stole before they encrypted the data.”
https://www.latimes.com/california/story/2022-09-30/hackers-set-monday-deadline-for-lausd-to-pay-up-or-have-private-data-posted-on-dark-web Hackers set Monday deadline for LAUSD data release