The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory (CSA) after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks.
Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.
This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. After issuing advisories about MedusaLocker and Zeppelin ransomware, this is the third CSA of 2022 which aims to provide technical information on ransomware variants and ransomware threat actors.
Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Malwarebytes has been tracking the group since December 2020. Due to similarities in naming and tactics we suspect there is a tie to the HelloKitty ransomware group. Both use the .kitty or .crypted file extension for encrypted files. According to CISA, the Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may just as easily deploy other variants in the future.
The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.
Vice Society has been known to exploit known vulnerabilities in SonicWall products, and the set of vulnerabilities commonly referred to as PrintNightmare. The CSA also mentions the gang exploiting internet-facing applications without providing details.
Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrate data. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike in order to move laterally.
Los Angeles Unified school district
In a recent example of a school district targeted by ransomware, the huge Los Angeles Unified School District fell victim to a ransomware attack. LAUSD is the second largest school district In the US, and the attack targeted the LAUSD’s information technology systems during the Labor Day weekend. Authorities moved to shut down many of the district’s most sensitive platforms over the weekend to stop the spread and restrict the damage, and by Tuesday most online services — including key emergency systems — were operating safely.
The attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down.
An investigation involving the FBI, the Department of Homeland Security and local law enforcement is underway.
From the example above we can see that constant monitoring and adequate intervention helped to limit the impact.
Besides IOCs and attack techniques, the CSA provides a lot of mitigation advice. Since the techniques used by the Vice Society group are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.
But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups, for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. This makes it less likely that you will be severely interrupted, and/or only have irretrievable data, in the event of a ransomware attack.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.
Require all accounts with password logins to meet the required standards for developing and managing password policies:
- Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
- Implement time-based access for accounts set at the admin level and higher
- Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers
- Store passwords using industry best practice password hashing functions
- Implement password rate limits and lockouts
- Avoid frequent password resets (once a year is fine)
- Avoid reusing passwords
- Disable password “hints”
- Require administrator credentials to install software
Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)
Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Stay safe, everyone!