LA schools and the mystery of the missing ransom note
Mark Keierleber | September 14, 2022
As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar.
Vice Society, an “intrusion, exfiltration and extortion” group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. Schools nationwide have shelled out millions of dollars to prevent hackers from publishing private records on dark-web outposts.
So what’s a ransomware attack without a demand for money?
“We have not received a ransom demand, nor have we sought a direct communication with the entity,” Superintendent Alberto Carvalho said at a Friday news conference, nearly a week after the breach was detected.
On Tuesday, the L.A. school board unanimously approved an emergency declaration allowing Carvalho, who took the helm at the nation’s second-largest school district in February, to expedite contracts for cybersecurity for a year without competitive bidding.
The new superintendent’s statements are “not consistent” with Vice Society’s extortion playbook, said Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security, a computer security firm that warned the district in 2021 about a cyber vulnerability.
Holden said he fears “a missing link” between the district and the threat actors, who are “definitely known to send out a ransom note because that’s how they get paid.” Vice Society has made clear that money is the primary motive for the cyber attack on L.A. schools, which the group says it carried out but has not provided evidence to substantiate its claims.
Holden is not the only one trying to read between the lines.
“One big question everybody has is, ‘Did they pay, are they going to pay the extortion demand?’” said Doug Levin, national director of The K12 Security Information eXchange.
Levin and other cybersecurity experts have a few theories.
For one, it could be the case of carefully worded messaging. While Carvalho noted that the district has not “sought a direct communication with the entity,” the superintendent’s comments don’t “seem to rule out that someone on their behalf may be in touch with Vice Society,” Levin said, adding that “nothing in their response or in what Vice Society has said or done rules out paying extortion and much is consistent with it.”
In previous attacks, districts have declined to recognize ransom demands unless they come through official channels, he added, and it’s possible that “a pop-up on a computer screen is not a valid way of communication to a district and therefore it does not count as being received.”
It’s possible, Holden said, that a ransom note failed to reach an audience. When organizations learn they’ve been compromised, they sometimes react by defending themselves overzealously and the ransom note winds up getting blocked, he said.
“The organizations typically tend to lose these notes, block them or don’t report them,” he said. If someone reports a phishing attempt to IT, email administrators tend to purge the message and future communications. “So they basically didn’t block the phishing email, but potentially they blocked the ransomware note.”
But there could be another explanation for the missing ransom — one of success. When district officials moved quickly to take their computer systems offline after detecting the breach, they could have effectively eliminated the threat before the demand was made.
“If there’s enough notoriety about it and they didn’t get far enough to actually encrypt enough or exfiltrate enough data, I’ve seen the threat actors abandon it,” cyber crime expert James Turgal told The 74. “When law enforcement gets involved, that’s when those guys start getting really nervous.”
In his press conference, Superintendent Carvalho never called out the hacking group by name but noted that federal law enforcement officials working on the criminal investigation have “intimate knowledge” of the bad actors.
While some cyber criminals steer clear of attacks on schools and hospitals, Vice Society — whose dark web “leak site” is styled after the video game Grand Theft Auto: Vice City — has no such code, Holden said.
“These guys don’t have this stop and that’s extremely disturbing because this may indicate that they won’t stop for anything,” he said.
Reporters have received brief responses from an email address that federal law enforcement officials say is controlled by the cyber gang. In their replies, the group took credit for the attack and claimed to steal some 500GB of files from compromised district servers. In an email to The Associated Press, the group offered a simple explanation: “We are not political organization, so everything is just for money and pleasure =).”
The 74 contacted Vice Society to request information about its ransom demand and the records it stole. In a brief response, the group said it would provide “all answers after they appear on our website,” suggesting that the L.A. data would be leaked if negotiations fail.
Even without a ransom, recovering from the attack will likely cost the districts millions of dollars, experts said. As such attacks on schools have become more frequent, districts face steep cyber liability insurance premium hikes of as much as 300 percent. In 2021, a total of 67 ransomware attacks against U.S. schools and colleges cost an estimated $3.5 billion in downtime and recovery costs. In May, Lincoln College in Illinois announced it would permanently close after becoming the target of a cyber attack.
‘Surveillance and grooming of our own systems’
Los Angeles Unified School District, which serves more than 500,000 students, joins the ranks of districts nationwide on the receiving end of ransomware attacks in recent years, falling victim on the Saturday night of the four-day holiday weekend. The LAUSD breach appears to be part of a growing trend of back-to-school hacks, which take advantage of a chaotic moment when district cybersecurity officials are particularly busy.
“If you were looking to extort a school district and increase the leverage on them to meet an extortion demand or a ransom demand, this time of the school year would be among the best to do it,” Levin said. “We have seen, over the last several years, that ransomware actors have taken advantage of that fact at the beginning of the school year to extort districts out of millions of dollars of money in demands.”
As hackers were carrying out the attack, district technology officials detected “unusual live data movement,” and made the unprecedented decision to shut down the district’s computer system — a move “that itself caused a number of challenges,” Carvalho said, but prevented “other more essential elements.”
While a district facilities system was a primary target in the hack, Carvalho acknowledged that hackers had “touched” the online student management system. The facilities system includes information on contracts and non-sensitive records, he said, and it remains unclear whether the threat actors were able to acquire sensitive student information.
“It is quite possible, even likely, that for a period of time in advance of the actual attack, there was a degree of surveillance and grooming of our own systems,” Carvalho said, suggesting threat actors rummaged through district data prior to launching the ransomware scheme. L.A. Unified was currently in the process of rolling out passwords with multi-factor authentication, but Carvalho acknowledged the security measure had not been finalized before the breach.
The criminal investigation into the attack involves officials from the Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In a joint Cybersecurity Advisory, federal officials warned that Vice Society actors were “disproportionately targeting the education sector with ransomware attacks” that have led to “delayed exams, canceled school days and unauthorized access to and theft of personal information.” Schools may be “particularly lucrative targets,” the advisory said, because they retain a large amount of sensitive student information.
Turgal, the vice president of cyber risk and strategy at Optiv Security, offered a harsh critique of L.A. Unified’s response, noting that officials had been previously warned about vulnerabilities.
“They’re doing the right things,” but a speedy response to eliminate threats from servers is critical, said Turgal, a former executive assistant director for the FBI Information and Technology Branch. “Their response was very measured, but it was very slow.”
The district declined to comment.
While schools reopened after the Labor Day weekend as scheduled, the breach came with substantial disruptions and confusion for the 540,000 students and 70,000 district employees who were required to reset their passwords and were unable to access online platforms.
“From my students, I could tell they were frustrated,” said Nancy Soni, an 11th grade English teacher in East Los Angeles. “A lot of them didn’t really understand what it meant to be hacked.”
‘A wake-up call’
Outside Los Angeles, ransomware attacks have delivered a serious blow to districts nationwide, crippling their finances with extortion demands and recovery costs.
In Baltimore, a 2020 ransomware attack saddled the county school district with some $10 million in recovery costs. Costs are similar in Buffalo, New York, where the district was struck by an attack last year but declined to pay the ransom. When education leaders in Broward County, Florida, declined to pay a $40 million ransom demand after district accounting and financial records were stolen, hackers posted some 26,000 files on the dark web.
In fact, this isn’t Carvalho’s first experience dealing with a data breach. In 2020, while he was superintendent in Miami, Florida, the district fell victim to a cyber attack on the first day of virtual classes. A 16-year-old district student who took credit for the attack was sentenced to a year of probation.
Back in L.A., district leaders were warned on multiple occasions in the last several years that their cybersecurity safeguards weren’t up to snuff and that data had been compromised.
In January, 2021, the district inspector general released the findings of an information security audit that identified lapses that required an “immediate remedy” including “significant risks around passwords and credentials” and the lack of incident response planning and preparation.
Having been presented with “a laundry list of things that should have been done,” it’s critical to understand how the district responded to the audit, said Turgal of Optiv Security.
Carvalho also expressed concern about how the report’s recommendations were handled, saying his “first order of business” is to “actually understand that report and ask the tough questions about why were a number, if not the majority of these measures, not acted upon.”
A month later, in February, 2021, cybersecurity experts with Hold Security used an intermediary to inform L.A. district leaders of more bad news. The computer for a school psychologist who was working from home had become compromised, Holden said, likely after she was duped by a phishing email.
District officials worked quickly to patch the hole and there’s no evidence to suggest it contributed to the recent ransomware attack, but Holden said it should have served as “a wakeup call’ and suggests that LAUSD probably hadn’t “put enough safeguards in place to prevent something like this.”
The incident also highlights the reality that cybersecurity attacks on school districts can net highly sensitive data about children, Holden said.
“Imagine what kind of sensitive information, especially about minors, this person might have within her computer or within her access,” he said. Compromised data from a school psychologist is “the worst-case scenario of what the bad guys could steal, something that would be directly harmful to kids.”
Soni, the English teacher, said that hackers’ potential access to sensitive information is concerning. As an educator in the district, she said she has access to a significant amount of information about students, including their addresses, phone numbers and whether they’re in special education.
“There’s a lot on there, and to have everybody’s personal history be jeopardized, that is scary,” she said. “One of my concerns is having the wrong people have access to information about me, and information about my students.”
LA School Report freelancer Destiny Torres contributed to this report.