This article was originally published in January 2023, but has been updated with some additional information, following further ransomware attacks on schools in the UK. Highly confidential documents from 14 schools in the UK have been leaked online by hackers. The Vice Society has been behind a high-profile string of attacks on schools across the UK and the USA in recent months.
Hackers, like the VICE SOCIETY, will attack schools for their data, targeting pupil MIS systems, financial information, parent and investor details in order to obtain information to sell on the dark web. They will make demands for money before leaking the documents if payment is not made. They are attracted to the education sector because there is, too often, a lack of attention to and investment in cyber security. They leverage living off the land techniquest to sneak past detection - they use legitimate tools for malicious purposes, which effectively allows them to hid in plain sight as they carry out their attack. This Malwarebytes blog gives some important facts about the Vice Society:The ransomware group wreaking havoc on the education sector.
The full article published by the BBC : https://www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc.co.uk/news/uk-england-gloucestershire-63637883.amp of the most recent attack. However, there was also an attack in October by the same group of hackers for a group of schools in Hereford: https://cybernews.com/news/data-of-hereford-schools-pupils-posted-on-darkweb/
The education sector continues to be an attractive target for cyber crime as reported by Microsoft recently: https://www.microsoft.com/en-us/wdsi/threats
The VICE SOCIETY is a ransomware-type program. It encrypts data (renders files inaccessible) and demands ransoms for the decryption (access recovery).
A note is sent to victims informing them that their data was stolen and encrypted. Unless victims contact the cyber criminals within seven days, the exfiltrated content will be publicised on the darknet. To prevent this and decrypt the compromised files – decryption keys have to be purchased. Furthermore, free decryption of two small non-valuable files is offered. The ransom-demanding message warns against actions that may render the files inaccessible.
To prevent VICE SOCIETY ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already affected files. The only solution is recovering them from a backup, if one was created before and stored elsewhere. To avoid permanent data loss, it is crucial to keep backups in remote servers and/or unplugged storage devices.
Further detail about what the VICE SOCIETY ransomware is and how it can infect your computer systems can be found here: https://www.pcrisk.com/removal-guides/21962-vice-society-ransomware. The FBI have a more technical article: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
More information about current ransomware attacks and cyber security advice can be found on these sites:
https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools
What to do in an attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.
Little Guide to ACTION FRAUD
Remember – ‘Hackers don’t break in they login’!