Hackers leak data online in escalation of LA schools ransomware attack
Connecting state and local government leaders
The group behind last month’s attack published 500 gigabytes of stolen data, but the superintendent said the district still refuses to pay the ransom.
The hackers behind last month’s ransomware attack on the Los Angeles Unified School District (LAUSD) escalated their attempt to extort money from the system when they published a trove of stolen data online.
Vice Society, the Russian language group that took responsibility for the attack, over the weekend posted approximately 500 gigabytes of data on its dark web site, having previously given LAUSD a deadline of Oct. 4 for payment. In response, LAUSD said it set up a hotline to “assist those from our school communities who may have questions or need additional support.”
LAUSD Superintendent Alberto Carvalho said in a tweet that he still refuses to pay any ransom and that “negotiating with cybercriminals attempting to extort education dollars from our kids, teachers, and staff will never be a justifiable option.”
On Friday, before the data was leaked, LAUSD said in a statement that the attack on the nation’s second largest public school district “demonstrates vulnerabilities that leave school districts nationwide susceptible to the significant risk of disruption to instruction, home to school transportation or access to nutritious meals which are catastrophic for students and their learning.”
Davis Hake, co-founder and vice president of policy at cybersecurity insurance company Resilience, said these types of “double extortion” hacks where criminals both encrypt and exfiltrate data they threaten to expose have grown “all too common.” He said agencies and businesses should be prepared for such attacks, especially as the impacts can be felt widely.
“Having kids be able to go to school uninterrupted and keeping their private data safe is obviously the top concern,” Hake said in an email. “The best way to prepare is to think about your cyber resilience to these types of attacks. This decision should be exercised ahead of time, so that teams are not responding on the fly and are able to quickly tap into incident response and insurance support.”
The district said payments to facilities contractors, vendors and workers have been disrupted as the payment systems are not operational, but added that it does not believe that its employee health care and payroll systems have been impacted. Carvalho previously tweeted that over 53,000 students and staff had already changed their passwords despite capacity issues.
The district said it convened an independent IT task force with cybersecurity experts from the public and private sectors immediately after the attack. LAUSD said it would look back at previous cybersecurity audits and then produce a report with any further suggestions. It is also continuing to work with the White House, FBI and the Cybersecurity and Infrastructure Security Agency, along with other partners.
In the immediate aftermath of the ransomware attack, CISA issued a joint advisory with the FBI and the Multi-State Information Sharing and Analysis Center warning about Vice Society. The agencies said that the group is “disproportionately targeting the education sector with ransomware attacks” and that attacks on the sector may increase.