Ransomware Gang Bullies LA School District By Leaking Stolen Data

On September 5, Los Angeles Unified School District (LAUSD), the second largest school district in the United States, published a news release disclosing a ransomware attack on its internal systems. While LAUSD is far from the only school to have been hit by ransomware this year, the size of the school district has made this particular case a high profile one. Fortunately, LAUSD was able to overcome the disruptions caused by the attack relatively well, managing to continue classes the next day. However, the threat actor behind the ransomware attack wasn’t finished inflicting damage on the school district.

Last Friday, the ransomware gang known as Vice Society publicly claimed responsibility for the attack and threatened to publish files stolen in the attack. The threat actor initially gave the school district four days to pay a ransom before releasing the stolen files online, but LAUSD published a news release that same day stating that it would not pay the ransom: “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.” Vice Society responded by prematurely publishing the stolen files, which the ransomware gang told BleepingComputer amounted to 500GB of data in total.

Unfortunately, while the stolen data is now public, we still don’t know the full extent of the information stolen. LAUSD was quick to launch a task force intended to enhance the school district’s security practices, but the district still hasn’t disclosed what kind of information may have been exfiltrated in the ransomware attack. An unnamed source close to the investigation told NBC Los Angeles that the stolen files included confidential psychological assessments of students, contract and legal documents, business records, numerous database entries, and personally identifying information, such as social security numbers.

At least for the time being, those looking to analyze the stolen data or use it for nefarious purposes may be unable to do so, as the ransomware gang’s dedicated leak site (DLS) appears to be offline. Vice Society referenced the US Cybersecurity & Infrastructure Security Agency (CISA) in its publication of the stolen LAUSD data, and it’s possible that the agency is giving the ransomware gang some trouble. Shortly after the ransomware attack on LAUSD took place, CISA published a joint cybersecurity advisory with the Federal Bureau of Investigation (FBI) detailing Vice Society’s methods and noting the ransomware gang’s propensity to attack targets in the education sector. Perhaps, spurred on by this latest dump of personal information, US law enforcement managed shut down Vice Society’s leak site.

Unfortunately, even if the ransomware gang’s site never comes back online, the data stolen from LAUSD was likely available long enough for other cybercriminals to download a copy of the data. Everyone who works for LAUSD or sends their kids to school in the district should enact precautionary measures, such as credit freezes, to guard against identity fraud in the wake of this event.