Negro Elkha - stock.adobe.com

Vice Society cyber gang targeted multiple UK schools

The Vice Society ransomware gang has made a habit of attacking educational institutions, and now appears to have struck multiple schools, colleges and universities in the UK

The Vice Society ransomware crew has leaked a large volume of personally identifiable information (PII) on pupils and staff at 14 UK schools and universities, including children’s special educational needs (SEN) information, scanned passport data for school trips, and details of staff payroll and contracts.

The documents are known to relate to 14 separate schools, according to an investigation by the BBC, including Pates Grammar School in Gloucester, which was victimised in September 2022. At first, it had been thought no data had been exfiltrated, although five days later, the school emailed parents to tell them this was not the case.

The other schools impacted, according to the BBC, are Carmel College, St Helens; Durham Johnston Comprehensive School; Frances King School of English, London/Dublin; Gateway College, Hamilton, Leicester; Holy Family RC and CE College, Heywood; Lampton School, Hounslow, London; Mossbourne Federation, London; Pilton Community College, Barnstaple; Samuel Ryder Academy, St Albans; School of Oriental and African Studies (SOAS), London; St Paul’s Catholic College, Sunbury-on-Thames; Test Valley School, Stockbridge; and The De Montfort School, Evesham.

A spokesperson for Pates Grammar School said it was working with forensic specialists to investigate and analyse the data, and secure its systems. They said that at this stage, the impacted systems were back online and disruption had been minimised. Spokespeople for three of the other institutions responded to requests for comment from the BBC, with SOAS revealing it had lost almost 19,000 files in an attack on its systems that also took place in September 2022.

At the time of writing, there is no indication as to whether or not any of the above alleged victims have paid a ransom. Computer Weekly additionally understands the Information Commissioner’s Office (ICO) has been informed of the various incidents where necessary.

“The education sector continues to be an attractive target for cyber crime,” said Keiron Holyome, BlackBerry vice-president for the UK, Ireland and emerging markets. “As we have seen again by the latest attack from Vice Society on both US and UK schools, criminals are increasingly attracted by stores of sensitive student data, as well as financial information, parent and investor details, and, too often, a lack of attention to and investment in cyber security.

“To ensure the continuity of education, especially in the context of remote learning, we encourage the government to invest in cyber security for the education sector, considering the impact on individuals’ wellbeing, and ensure security, productivity and user experience. If these devices become infected with a virus or malware, they can expose sensitive personal information that students share during the learning process.

Read more about Vice Society

ESET global cyber security advisor Jake Moore added: “This is a shocking revelation suggesting that cyber criminals are still actively targeting weak links which can have massive impacts on society. When data like this is leaked, there are usually ransom demands that appear before the data is released, suggesting that this data may have been stolen earlier.

“Local government bodies are often protected by older, less secure defences, and threat actors are well aware of the standards which protect them. However, schools and local bodies often do not have the funds to pay ransoms, which can make these attacks fruitless to the criminals yet highly damaging to society. Schools constantly require better defences and more awareness in how to protect their local data.”

The Vice Society group first surfaced in the summer of 2021, when researchers at Cisco Talos observed it chaining the high-profile PrintNightmare vulnerabilities in Windows Print Spooler to achieve remote code execution (RCE) in target environments.

At the time, it was seen launching fairly standard double extortion attacks, but Cisco Talos found it to be more notable because it actively seeks out and deletes backups of its victims’ data, making recovery a more complex prospect and improving its chances of getting paid.

In the 18-odd months since it first came to prominence, Vice Society has become notorious for attacking and extorting educational institutions, with probably its most impactful action an attack on the Los Angeles Unified School District that took place over the Labor Day weekend – the US equivalent of the UK’s late August Bank Holiday.

It published approximately 500GB of stolen data to its dark web leak site following this attack, including pupils’ academic records, disciplinary records and health information. Multiple other schools in the US were also targeted around the same time, prompting a joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI

According to Palo Alto Networks’ threat hunters, Unit 42, Vice Society prefers to use forks of existing ransomware families sold via the dark web rather than its own custom payloads. It has been observed using both HelloKitty and Zeppelin. Its ransom demands have in some cases exceeded $1m, although it is known to decrease its demands, often substantially, if victims cooperate and negotiate – a tactic that is not advised.

Read more on Data breach incident management and recovery