Los Angeles Unified School District, or LAUSD — the second largest district in the U.S. with more than 1,000 schools and 600,000 students — confirmed this week that it was hit by a cyberattack over the weekend, disrupting access to its IT systems.
Details about the incident, described as "criminal in nature" and later confirmed to be ransomware, remain vague. It’s not yet known whether data was stolen, and while LAUSD resumed classes as planned on Tuesday following the long Labor Day weekend, the impact on schools is currently unclear. LAUSD's chief communications officer Shannon Haber has not responded to multiple requests for comment.
While there is a lot we don't yet know, a number of details about the incident are beginning to emerge.
Vice Society claims responsibility
Vice Society, a Russian-speaking ransomware group and known for targeting the education sector, claimed responsibility for the LAUSD ransomware attack.
The Vice Society ransomware gang tells me they are responsible for the attack against the Los Angeles Unified School District. (somewhat expected given @CISAgov's alert following the attack). @LASchools #infosec #ransomware #cybersecurity pic.twitter.com/34FvM0xhYt
— Jeremy Kirk (@Jeremy_Kirk) September 8, 2022
Vice Society is a double-extortion ransomware group, meaning it typically exfiltrates a victim's sensitive data as well as encrypting it. The group is known to break into its victims' networks by exploiting the Windows PrintNightmare vulnerability.
A review of Vice Society's leak site does not yet list LAUSD, but a number of other U.S. school districts are currently listed on the site, including Wisconsin's Elmbrook Schools and the Moon Area School District in Allegheny County.
TechCrunch asked LAUSD whether it could confirm that Vice Society was behind the attack but did not receive a response.
The claim by Vice Society comes days after the FBI and CISA warned that the ransomware group, which has been active since 2021, is “disproportionately targeting the education sector with ransomware attacks.” A joint government advisory this week warns that K-12 education institutions, like LAUSD, have been frequent targets of attacks, which have led to restricted access to networks and data, delayed exams, canceled school days and the theft of personal information belonging to students and staff.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that LAUSD is the fiftieth education sector entity to be hit with ransomware this year alone.
Response from LAUSD
While LAUSD has not yet confirmed the impact of the ransomware attack, the district said in an update on September 8 that it is making progress toward “full operational stability” for a number of key IT services. LAUSD hasn't said which services are back up and running, but previously said students and teachers might be unable to access email, Google Drive and Schoology, a popular learning management system.
LAUSD said that all compromised credentials were fully deactivated to protect network integrity and added that it’s expediting the rollout of multi-factor authentication across the district. LAUSD was in the process of a large-scale rollout of multi-factor authentication, with an aim to make the security feature mandatory for employees and contractors starting on September 12, according to an LAUSD notice that was later posted on Twitter.
Superintendent Alberto M. Carvalho said: “This incident has been a firm reminder that cybersecurity threats pose a real risk for our District — and districts across the nation."
Dark web data leak debunked
Earlier this week, reports emerged that "at least 23" login credentials of LAUSD employees appeared on the dark web. The credentials reportedly contained email addresses and passwords, and at least one set of credentials is said to have unlocked an account for the district's virtual private network service.
However, in its update published, LAUSD said that “compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies."
A previous ransomware attempt?
LAUSD was the target of a previous ransomware attack in 2021, according to threat intelligence company Hold Security, via cybersecurity reporter Jeremy Kirk. According to the company, a school psychologist's machine was infected with Trickbot, a financially motivated malware that is sometimes used as a precursor to a ransomware attack.
Here's new info about @LASchools. The district barely avoided a ransomware attack last year. @HoldSecurity warned Los Angeles Unified School District in Feb. 2021 via an intermediary that a school psychologist's machine was infected with the Trickbot malware. #infosec
— Jeremy Kirk (@Jeremy_Kirk) September 8, 2022
Hold Security says it warned the district, but it's not clear what actions — if any — were taken.
"LAUSD may have conducted incident response and remediated. But it foreshadowed what was to come this year," said Kirk, commenting on the security company's findings.