The Los Angeles Unified School District (LAUSD) suffered a cyber attack over the Labor Day holiday weekend, causing “significant disruption” to its digital infrastructure. The school district said it detected unusual activity on its information technology systems over the Labor Day weekend, which turned out to be an external cyber attack. LAUSD shut down all computer systems from Saturday night and checked and restarted them by Monday night before going public on the ransomware incident.
However, LAUSD confirmed that classes would resume on Tuesday as the ransomware attack did not affect critical services such as transportation, food, and after-school programs. LAUSD also warned that it expected significant delays or modifications in many business operations.
LAUSD has a population of more than 600,000 students from kindergarten to 12th grade and 26,000 teachers in more than 1,000 schools. The education body is the second largest school district after the New York City Public Schools having 919,000 students in over 1,500 schools.
Cyber attack forces LAUSD teachers and students to reset their passwords
LAUSD implemented mitigations to prevent the districtwide disruption of email, computer systems, and applications. Additionally, the school district convened an Independent Information Technology Task Force to review various reports and network audits.
According to Superintendent Alberto M. Carvalho, the task force will dive deep into the recommendations and implementations of the Information Security Audit report by the Office of the Inspector General in 2021. Superintendent Carvalho also promised network updates and the implementation of multi-factor authentication (MFA).
Meanwhile, employees and students must reset their passwords and reauthenticate on the school district’s computer systems.
However, the school district confirmed that the cyber attack did not affect employee healthcare and payroll systems or the schools’ safety and emergency mechanisms.
Nevertheless, LAUSD could not confirm if the hackers exfiltrated data from the impacted information technology systems. Ransomware operators usually exfiltrate data from compromised computer systems before encrypting.
They use the stolen information to coerce their victims to pay the ransom, threatening to publish sensitive information online. This double extortion tactic raises the stakes when the privacy and safety of children could be involved.
LAUSD called in the big guns and received an overwhelming response suggesting that the federal government was taking the risk seriously.
“The White House brought together the Department of Education, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies,” LAUSD wrote.
Foreign cyber attack on a U.S. school district
Without mentioning the threat actor or country’s name, the school district’s superintendent disclosed that the cyber attack originated from a foreign territory. Additionally, he clarified that the leaked passwords found on illicit websites were unrelated to the cyber attack.
“As a point of clarification, compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies. All compromised credentials have been fully deactivated to protect network integrity,” Carvalho said.
However, US authorities issued a cybersecurity advisory over the Vice Society ransomware targeting educational institutions, especially kindergarten through K-12. The impacts of such attacks included unauthorized access to student and employee data, canceled school days, and delayed exams.
According to BleepingComputer, Vice Society had taken responsibility for the LAUSD cyber attack, adding that it stole 500 GB of data. However, the ransomware gang has not published proof or made any ransom demands.
Suspected of being a Russian ransomware gang, Vice Society uses various ransomware variants, including Zeppelin and Hello Kitty/Five Hands.
“This egregious cyberattack is the latest example of the pervasive threat that predatory cybercriminals pose to everyone from multinational businesses to young school children,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “No one is safe from cybercrime, and often the most vulnerable among us are the most likely to be targeted.”
Cash-strapped schools with targets on their backs hemorrhaging money from ransomware attacks
Over 50 educational entities, including 24 school districts and 26 higher education institutions, have suffered ransomware attacks.
According to Aaron Sandeen, CEO of Cyber Security Works, U.S. schools lost $3.56 billion to ransomware attacks in 2021, which also caused the permanent closure of two educational institutions. Sandeen attributed the many school cyber attacks to unpatched vulnerabilities and vulnerable third-party software.
“In this case, an unpatched vulnerability led to Vice Society Ransomware infiltrating Los Angeles Unified School District’s systems,” Sandeen said. “This specific scenario was covered in CSW’s 2021 Q3 ransomware report and in response created a script any organization can run to identify this vulnerability.”
“The incident has impacted 640,000 students across Los Angeles, 31 smaller municipalities and Los Angeles County unincorporated sections,” said Josh Rickard, Senior Security Automation Architect at Swimlane. “With kids returning to school this week as well as school districts’ limited cybersecurity resources, school systems like LAUSD have unfortunately become easy targets for cybercriminals.”
Matthew Warner, CTO and Co-Founder at Blumira, noted that the threat landscape had expanded in the education sector with endpoints increasing and staff and students using personal devices to connect to schools’ networks.
“Colleges, in particular, have many personal devices on their network, since students bring both personal laptops and mobile devices.”
Comparing LAUSD’s strong response to shutting the stable after the horse has bolted, Steve Moore, chief security strategist at Exabeam, laid the blame squarely on educational institutions.
“Although the LA School District’s announcement includes sweeping changes, it’s a shame they didn’t make them before the crisis.”
