Ransomware hits Los Angeles Unified School District

Days before the start of the new school year, Los Angeles Unified School District, which serves more than a half a million students, was hit by a ransomware attack.

In a statement posted to Twitter on Monday night, California's largest public school system said it was investigating technical issues that caused system disruptions and warned students and faculty that access to some services were unavailable. Early Tuesday morning, LAUSD published another statement confirming the disruptions were caused by a ransomware attack over Labor Day weekend that forced email, computer systems and applications offline.

After contacting law enforcement officials, the school district received assistance from the White House, which provided incident response support from the Department of Education, the FBI and the Cybersecurity and Infrastructure Security Agency.

Though the investigation is ongoing, LAUSD said it expects the first day of school to remain on schedule for Tuesday. The district's website is still accessible; however, an important message pops up stating, "We're experiencing a service outage with multiple applications."

LAUSD confirmed the attack did not affect employee healthcare or payroll services, but it is unclear what student information or additional employee information was accessed. It is also unclear whether a ransom demand was made or paid, but the statement did say the attack was "likely criminal in nature."

As a result of the ransomware attack, students and employees are required to reset their passwords and must go through the district site to do so. Additionally, the LAUSD implemented several new protocols, including an Independent Information Technology Task Force, which is responsible for developing a set of cybersecurity recommendations within 90 days.

The school district will also invest in technology updates with a "full scale reorganization of departments and systems." Other new initiatives include a technology advisor, an expanded budget for technology enhancements and mandatory security awareness training for employees.

In addition to government warnings that ransomware attacks increase over holiday weekends, the timing also aligned with threat actors targeting the U.S. education sector at the start of the new school year. For example, both Whitworth University and Sierra College recently suffered ransomware attacks just prior to the scheduled first day of the 2022 school year.

In a Twitter post on Tuesday, Emsisoft analyst Brett Callow pointed to a predictable increase in incidents involving schools during the third quarter every year. He shared Emsisoft research published in 2020 and 2021 to support that claim.

"The number of successful ransomware attacks on the education sector increased by 388 percent between the second and third quarters of 2020. It was a similar story in 2019. This is almost certainly not a coincidence," Emsisoft wrote in a 2020 blog post on education-focused attacks.

Emsisoft attributed the increase to attackers' intentionally long dwell time, as they wait "for the right moment to deploy ransomware in order to maximize the impact." The security vendor confirmed attackers sit on compromised networks for an average of 56 days before deploying ransomware. During that time, they harvest credentials, exfiltrate data and destroy back-ups.

"In the education sector, the 'right moment' is the start of the school year," the blog post read.

While this is the first confirmed ransomware incident directly targeting LAUSD, the district was affected by a different attack earlier this year. Illuminate Education, a software vendor that provides education entities with data management and student information systems, disclosed a data breach in May that stemmed from an attack in January. While the incident affected LAUSD, there is no indication that it is connected to the recent ransomware attack.

UPDATE: In a joint cybersecurity advisory Tuesday, the FBI, CISA and the Multi-State Information Sharing and Analysis Center urged the education sector, especially K-12 institutions, to be prepared for an uptick in ransomware attacks as the new school year kicks off. The alert highlighted one particularly dangerous group, dubbed Vice Society, which government entities have observed "disproportionately targeting the education sector with ransomware attacks."

Known for double extortion tactics and longer dwell times, Vice Society emerged in 2021 and uses compromised credentials to gain initial access and obfuscates its malware and tools as legitimate files.

While the advisory acknowledged the education sector is a popular target due to a common lack of cybersecurity resources, it cautioned that even schools with robust security programs remain at risk. In addition to standard practices to prevent ransomware attacks such as maintaining efficient backups and network segmentation, the alert emphasized the importance of identity and access management protocols including account audits and time-based access for higher level account users. Because Vice Society was observed escalating privileges and running scripts to change admin passwords, the alert also recommended disabling command-line and scripting activities and permissions.

To assist in tracking Vice Society, the FBI emphasized the importance of reporting any communications with the actors such as sample ransom notes and bitcoin wallet information.