Microsoft claims this devious ransomware gang is attacking schools

ID theft
(Image credit: Future)

A well-known ransomware operator has been targeting schools in the United States, using a signature move of ransomware payload swapping, experts have claimed. 

A report from Microsoft researchers claim to have observed Vice Society switch up ransomware payloads in attacks against schools in the US between July and October this year.

The company’s latest cybersecurity report claims the group regularly swaps between BlackCat, QuantumLocker, Zeppelin, and a Zeppelin  variant modified to carry Vice Society’s brand identity. Since September, though, they also started deploying a modded version of the RedAlert payload, which adds the .locked file extension to all the files it encrypts.

Stealing sensitive data

The group has also reportedly been using the HelloKitty/Five Hands ransomware, as well, and in some cases, Microsoft added, the group skips the encryption part altogether and just steals the data. Later, it threatens to release it to the public unless the ransom demand is met.

"In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data," Microsoft’s report reads. "The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities."

In September 2022, Vice Society released 500GB worth of sensitive data belonging to the Los Angeles Unified School District (LAUSD). The threat actor managed to encrypt LAUSD’s endpoints, but not before making away with folders named “SSN”, “Secret and Confidential”, “Passport”, and “Incident”. 

The organization confirmed it had no intention of paying the ransom demand: "Los Angeles Unified remains firm that dollars must be used to fund students and education," the organization had said. "Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate."

LAUSD encompasses more than a thousand schools, 26,000 teachers, and 600,000 students.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.