Multiple schools hit by Vice Society ransomware attack

Christopher Boyd

Christopher Boyd

The real world impact of cybercrime rears its head once more, with word that 14 schools in the UK have been caught out by ransomware. The schools, attacked by the group known as Vice Society, have had multiple documents leaked online in the wake of the attack.

One of the primary schools highlighted, Pates Grammar School, was affected on or around the September 28, 2022. The school eventually realised that data had been stolen somewhere around the October 14, notifying the parents. Law enforcement are investigating, but this timeline of not knowing data had been exfiltrated for a week or two is sadly common.

Schools: A recurring target

Vice Society is no stranger to school compromise, having most recently been in the news for threatening to leak data from the LA Unified School District. In that incident, the School District refused to pay up despite the threat of eventual data leakage should they not comply with the ransom demands.

Here, the same pattern of attack has been followed with data leaked after non-payment of the ransom. There’s going to be quite a bit of concern for parents and teachers alike, with sensitive data being thrown into the mix.

According to the BBC, the data includes:

  • Passport scans of both pupils and parents which date back to 2011
  • Contractual offers made to members of staff
  • Headmaster’s pay and student bursary fund recipients
  • Special Educational Needs (SEN) data 

Other, unnamed confidential documents were seen which belong to a variety of other schools from across all parts of the UK. The responses to the attacks from the schools are a mixed bag. Some reported the attack to teachers but did not notify them that data had been taken. Others notified their IT department but not parents and pupils. One school reports roughly 18,680 documents having been stolen.

The word from law enforcement

There’s no word if any of the schools affected paid the ransom and had their data leaked anyway, or if the ransomware gang stuck to its word and “only” leaked in cases of non-payment. As we’ve seen recently, cyber insurance is no guarantee of avoiding a ransomware pitfall either with refusal of payout being decided in a court of law.

Schools are a juicy target for ransomware affiliates—schools’ often lack both funding and IT expertise, which can mean they’re an easier target than sectors where funding for cybersecurity is more available. The impact on students can be immediate, with no access to teaching resources, cancelled exams, or even a total school shut down.

The FBI has already issued multiple alerts with regard to school attacks down the years, with a joint FBI / CISA alert dedicated to Vice Society back in September of last year:

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff
School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.

The message is loud and clear: If you’re in education, you’re sadly a target for some of the most prolific ransomware groups around and geographical location is no restriction.

Avoiding the breach

If you’re compromised, there’s no guarantee the attackers will play nice should you pay up. They may leak the files they’ve stolen anyway, or the decryption tool you’re given to recover your files might not work properly. Our advice is to never pay. Here’s some things to think about in terms of warding off ransomware attacks:

Remote Desktop Protocol (RDP) compromise. While we don’t know how the attackers got into so many school networks, we can say that RDP is often used to gain entry to targets. Ensure your RDP points are locked down with a good password and multi-factor authentication. If you require a VPN to access it, ensure the VPN is locked down with MFA and other security measures appropriate to your network too. Rate limiting is a great way to fend off brute force attempts on your login.

Backup your data. Backups are the last line of defence against an attack that encrypts your data. This makes your backups a target for attackers, so they need to be offline and offsite so they are completely out of reach. They also need to be tested regularly to make sure they can be restored and aren’t missing anything vital. Backups are not a defence against attackers that steal and leak the data.

Make an emergency plan sooner, rather than later. Too many incidents happen and the first reaction is “What do we do now?” Take the initiative. Work out who is contacted first in the event of an emergency, which data is the most sensitive and valuable on your network, and what do you need to restore access to first after an attack. You may have a backup plan in place, but who is responsible for setting it in motion? Are you aware of your legal data breach notification responsibilities? These are all valuable components of a solid response strategy.

Keep your tools in good shape. Are your security tools and network endpoints updated and patched? Ensure that you’re running regular scans and looking for unusual activity on the network. On a related note, keep your security tool licences up to date. You don’t want to discover, mid-incident, that someone in accounting didn’t authorise a payment for another year’s worth of security detection and remediation.

Stay safe out there!