FBI releases joint advisory warning of Vice Society ransomware attacks on school districts

On Tuesday 6th of September 2022, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE cybersecurity advisory which revealed that multiple agencies have observed Vice Society threat actors disproportionately targeting the education sector with ransomware attacks. The impacts of ransomware attacks against the education sectors have ranged from restricted access to networks and data, delayed exams, cancelled school days, and unauthorized access to and theft of personal information regarding students and staff. The advisory stated that the Vice Society threat actors are known to deploy versions of Hello Kitty/Five Hands and Zeppelin ransomware, instead of developing and using ransomware of their own.

This joint cybersecurity advisory was released in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to provide key cyber threat information to help security professionals and organisations to detect and counter ransomware attacks conducted by the Vice Society group. The advisory also revealed that the FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. Especially as many school districts have limited cybersecurity capabilities and constrained resources which often makes them vulnerable and lucrative targets.

Furthermore, the FBI, CISA, and the MS-ISAC encourage organisations to implement the recommendations in the mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents. And the FBI has stated they are seeking any information related to the Vice Society group to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”