A cybercriminal syndicate has taken credit for the ransomware attack on Los Angeles schools and says it has captured sensitive data, according to published reports on technology news sites and in tweets from an Associated Press senior technology reporter.
The claim of responsibility has surfaced at least three times since Thursday, and was made to two veteran technology writers by a group that goes by the name Vice Society. That group was the subject of a warning that federal officials issued this week in the wake of a massive cyberattack against the nation’s second-largest school system. The agencies that issue the alert are directly involved in the investigation of the attack on L.A. Unified.
Federal law enforcement authorities and the school district would not comment on the validity of the two reports or any alleged role by Vice Society in the attack. On Friday morning, a local FBI spokesman said the agency was “not in a position to comment” on anything related to the case.
L.A. schools Supt. Alberto Carvalho said law enforcement had advised him not to speak about details related to the investigation, which includes the FBI, the Department of Homeland Security and the Los Angeles Police Department.
An emailed response to Associated Press reporter Frank Bajak from someone claiming to be a member of the group, claimed responsibility and also said, “We are not political organization, so everything is just for money and pleasure =).”
The statements were made in response to a query Bajak had made via the hackers’ dark web site using an email that federal authorities have listed as belonging to the Vice Society syndicate.
“I am reasonably confident I was corresponding with a representative of Vice Society,” Bajak said in an email exchange with The Times. “I did not ask to see evidence of the data theft. The representative said that would be forthcoming.”
In their response, the hackers claimed they have obtained confidential data. Another tech news site, BleepingComputer, reported that the claims also had been made to them.
School district officials said earlier this week they did not know how much, if any, student information — test scores, grades, class schedules, disciplinary records, reports about disabilities — was stolen, but acknowledged that hackers infiltrated the district’s online student management system.
“We’re still going through student files because … the student management system was touched,” Carvalho said Tuesday.
When the intrusion was discovered Saturday at 10:30 p.m., the L.A. school district, in a countermove, quickly shut down all computer systems over the weekend. That response may have prevented hackers from locking L.A. Unified out of its own computer systems. Had that element of the attack succeeded, recovery could have taken months and cost tens of millions of dollars — either in repairs or ransom or both, experts said.
But that’s just part of a ransomware attack.
“Ransomware groups usually rummage through networks and steal sensitive data before launching their file-encrypting malware,” wrote Jeremy Kirk, executive editor for security and technology for Information Security Media Group, in an article for Data Breach Today. “That way, if victims don’t pay for a decryption key, they can be threatened with the release of those files.”
Kirk was one of the journalists to whom Vice Society claimed credit for the LAUSD cyberattack.
Vice Society uses a site on the dark web to post confidential information when hacked private and public entities refuse to pay up, experts told The Times. This information can then be used by other bad actors for identity theft and other illegal purposes.
A federal alert, issued this week, warned school systems to beware of “Vice Society actors” in light of activities “identified through FBI investigations as recently as September 2022… disproportionately targeting the education sector with ransomware attacks.”
The warning was issued by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center.
“Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021,” the warning stated. The hackers have used software developed by others with quixotic names — Hello Kitty/Five Hands and Zeppelin — that mask their malicious purpose.
The group enters a system by exploiting vulnerabilities and illegally obtained login credentials.
Kirk raised the possibility that hackers gained entry to L.A. Unified through user names and passwords for sale on the dark web. The district on Thursday denied that this was the case.
“As a point of clarification, compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies,” the district release stated.
The federal warning described an extortion scenario used by the Vice group in which school systems were locked out of their own data and programs.
“Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources,” the warning advised. “Vice Society actors run a script to change passwords of victims’ email accounts.”
The theft of data provides a second opportunity for ransom.
“Vice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom,” the alert stated.
Kirk, who is based in Australia, noted that he received an email response “early Friday Sydney time,” in which a representative of the Vice Society ransomware group claimed credit for the attack.
Kirk said in an interview he communicated with the group via email. Vice Society maintains a website, with contact information, as a vehicle for releasing private data when a ransom is not paid.
Kirk said he has high confidence that he reached the group; whether they lied to him about carrying out the attack, he said, is impossible for him to determine.
Associated Press reporter Bajak had a similar encounter.
“The gang Vice Society claimed responsibility in an email to me after initially demurring,” Bajak tweeted Thursday night. “The person reached at the address on its dark web site said the motive is purely financial.”
Bajak added: “The Vice Society email writer said the syndicate is holding data stolen from hostage. Wouldn’t say what or how much.”
Supt. Carvalho said this week that no ransom demand had been made.
The timing of the federal alert seems more than a coincidence to Brett Callow, threat analyst for cybersecurity firm Emsisoft.
“Given the timing of joint advisory and Vice Society’s long track record of attacks on the education sector, it seems likely that they are indeed behind it,” he said.
Experts also said Vice Society actors probably believe they take little risk in acknowledging their actions. They typically operate in foreign countries, such as Russia, that don’t have a history of arresting or extraditing cybercriminals who target other nations.
Carvalho said earlier that there are indications the hack could have originated in a foreign country.
“I’m not going to get into much detail, but there are three nations that investigators have traced some degree of trail to,” he said Tuesday. “But that doesn’t necessarily indicate that’s where the attack came from.”