成人抖阴

Help fund stories like this.

Updated, Sept. 21: Los Angeles Unified School District has received a ransom demand from the hackers whose breach of the district’s computer systems was discovered Sept. 3, the Los Angeles Times yesterday. 鈥淲e can confirm that there was a demand made,鈥� L.A. schools Superintendent Alberto Carvalho said. 鈥淭here has been no response to the demand.鈥� The schools chief did not say when the demand was received, how much the cyber attackers are seeking or provide any further details. Carvalho said the country’s second-largest school district is following the advice of experts and law enforcement, including the FBI and the Los Angeles Police Department, the Times reported.

As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar. 

Vice Society, an 鈥渋ntrusion, exfiltration and extortion鈥� group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. to prevent hackers from publishing private records on dark-web outposts.  

So what鈥檚 a ransomware attack without a demand for money?

鈥淲e have not received a ransom demand, nor have we sought a direct communication with the entity,鈥� Superintendent Alberto Carvalho said at a Friday news conference, nearly a week after the breach was detected.

On Tuesday, the L.A. school board an emergency declaration allowing Carvalho, who took the helm at the nation鈥檚 second-largest school district in February, to expedite contracts for cybersecurity for a year without competitive bidding.

The new superintendent鈥檚 statements are 鈥渘ot consistent鈥� with Vice Society鈥檚 extortion playbook, said Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security, a computer security firm that warned the district in 2021 about a cyber vulnerability. 

Holden said he fears 鈥渁 missing link鈥� between the district and the threat actors, who are 鈥渄efinitely known to send out a ransom note because that鈥檚 how they get paid.鈥� Vice Society has made clear that money is the primary motive for the cyber attack on L.A. schools, which the group says it carried out but has not provided evidence to substantiate its claims.

Holden is not the only one trying to read between the lines.

鈥淥ne big question everybody has is, 鈥楧id they pay, are they going to pay the extortion demand?鈥欌�� said Doug Levin, national director of The K12 Security Information eXchange.

Levin and other cybersecurity experts have a few theories. 

For one, it could be the case of carefully worded messaging. While Carvalho noted that the district has not 鈥渟ought a direct communication with the entity,鈥� the superintendent’s comments don鈥檛 鈥渟eem to rule out that someone on their behalf may be in touch with Vice Society,鈥� Levin said, adding that 鈥渘othing in their response or in what Vice Society has said or done rules out paying extortion and much is consistent with it.鈥�

In previous attacks, districts have declined to recognize ransom demands unless they come through official channels, he added, and it鈥檚 possible that 鈥渁 pop-up on a computer screen is not a valid way of communication to a district and therefore it does not count as being received.鈥� 

It鈥檚 possible, Holden said, that a ransom note failed to reach an audience. When organizations learn they鈥檝e been compromised, they sometimes react by defending themselves overzealously and the ransom note winds up getting blocked, he said. 

鈥淭he organizations typically tend to lose these notes, block them or don鈥檛 report them,鈥� he said. If someone reports a phishing attempt to IT, email administrators tend to purge the message and future communications. 鈥淪o they basically didn鈥檛 block the phishing email, but potentially they blocked the ransomware note.鈥�

But there could be another explanation for the missing ransom 鈥� one of success. When district officials moved quickly to take their computer systems offline after detecting the breach, they could have effectively eliminated the threat before the demand was made. 

鈥淚f there鈥檚 enough notoriety about it and they didn鈥檛 get far enough to actually encrypt enough or exfiltrate enough data, I鈥檝e seen the threat actors abandon it,鈥� cyber crime expert James Turgal told 成人抖阴. 鈥淲hen law enforcement gets involved, that鈥檚 when those guys start getting really nervous.鈥�

In his press conference, Superintendent Carvalho never called out the hacking group by name but noted that federal law enforcement officials working on the criminal investigation have 鈥渋ntimate knowledge鈥� of the bad actors. 

While some cyber criminals steer clear of attacks on schools and hospitals, Vice Society 鈥� whose dark web 鈥渓eak site鈥� is styled after the video game 鈥� has no such code, Holden said.

鈥淭hese guys don鈥檛 have this stop and that鈥檚 extremely disturbing because this may indicate that they won鈥檛 stop for anything,鈥� he said.  

Reporters have received brief responses from an email address that federal law enforcement officials say is controlled by the cyber gang. In their replies, the group and of files from compromised district servers. In an email to The Associated Press, the group offered a simple explanation: 鈥淲e are not political organization, so everything is just for money and pleasure =).鈥� 

成人抖阴 contacted Vice Society to request information about its ransom demand and the records it stole. In a brief response, the group said it would provide 鈥渁ll answers after they appear on our website,鈥� suggesting that the L.A. data would be leaked if negotiations fail. 

Even without a ransom, recovering from the attack will likely cost the districts millions of dollars, experts said. As such attacks on schools have become more frequent, districts face steep cyber liability insurance of as much as 300 percent. In 2021, a total of 67 ransomware attacks against U.S. schools and colleges cost an in downtime and recovery costs. In May, Lincoln College in Illinois announced it would after becoming the target of a cyber attack. 

鈥楽urveillance and grooming of our own systems鈥�

Los Angeles Unified School District, which serves more than 500,000 students, joins the ranks of districts nationwide on the receiving end of ransomware attacks in recent years, falling victim on the Saturday night of the four-day holiday weekend. The LAUSD breach appears to be part of a growing trend of back-to-school hacks, which take advantage of a chaotic moment when district cybersecurity officials are particularly busy. 

鈥淚f you were looking to extort a school district and increase the leverage on them to meet an extortion demand or a ransom demand, this time of the school year would be among the best to do it,鈥� Levin said. 鈥淲e have seen, over the last several years, that ransomware actors have taken advantage of that fact at the beginning of the school year to extort districts out of millions of dollars of money in demands.鈥�

As hackers were carrying out the attack, district technology officials detected 鈥渦nusual live data movement,鈥� and made the unprecedented decision to shut down the district鈥檚 computer system 鈥� a move 鈥渢hat itself caused a number of challenges,鈥� Carvalho said, but prevented 鈥渙ther more essential elements.鈥� 

While a district facilities system was a primary target in the hack, Carvalho acknowledged that hackers had 鈥渢ouched鈥� the online student management system. The facilities system includes information on contracts and non-sensitive records, he said, and it remains unclear whether the threat actors were able to acquire sensitive student information. 

鈥淚t is quite possible, even likely, that for a period of time in advance of the actual attack, there was a degree of surveillance and grooming of our own systems,鈥� Carvalho said, suggesting threat actors rummaged through district data prior to launching the ransomware scheme. L.A. Unified was currently in the process of rolling out passwords with multi-factor authentication, but Carvalho acknowledged the security measure had not been finalized before the breach. 

The criminal investigation into the attack involves officials from the Federal Bureau of Investigation and the Department of Homeland Security鈥檚 Cybersecurity and Infrastructure Security Agency. In , federal officials warned that Vice Society actors were 鈥渄isproportionately targeting the education sector with ransomware attacks鈥� that have led to 鈥渄elayed exams, canceled school days and unauthorized access to and theft of personal information.” Schools may be “particularly lucrative targets,” the advisory said, because they retain a large amount of sensitive student information. 

Turgal, the vice president of cyber risk and strategy at Optiv Security, offered a harsh critique of L.A. Unified鈥檚 response, noting that officials had been previously warned about vulnerabilities.

鈥淭hey鈥檙e doing the right things,鈥� but a speedy response to eliminate threats from servers is critical, said Turgal, a former executive assistant director for the FBI Information and Technology Branch. 鈥淭heir response was very measured, but it was very slow.鈥�

The district declined to comment.

Despite the ransomware attack, continues to work toward full operational capacity. Thank you to our students, families and employees for doing your part in the ongoing recovery by resetting your passwords.

— Los Angeles Unified (@LASchools)

While schools reopened after the Labor Day weekend as scheduled, the breach came with substantial disruptions and confusion for the 540,000 students and 70,000 district employees who were required to reset their passwords and were unable to access online platforms. 

鈥淔rom my students, I could tell they were frustrated,鈥� said Nancy Soni, an 11th grade English teacher in East Los Angeles. 鈥淎 lot of them didn’t really understand what it meant to be hacked.鈥�

The Vice Society ransomware gang tells me they are responsible for the attack against the Los Angeles Unified School District. (somewhat expected given 's alert following the attack).

— Jeremy Kirk (@Jeremy_Kirk)

鈥楢 wake-up call鈥�

Outside Los Angeles, ransomware attacks have delivered a serious blow to districts nationwide, crippling their finances with extortion demands and recovery costs. 

In Baltimore, saddled the county school district with some $10 million in recovery costs. Costs are similar in Buffalo, New York, where the district was last year but declined to pay the ransom. When education leaders in Broward County, Florida, declined to pay a $40 million ransom demand after district accounting and financial records were stolen, hackers posted some 26,000 files on the dark web. 

In fact, this isn鈥檛 Carvalho鈥檚 first experience dealing with a data breach. In 2020, while he was superintendent in Miami, Florida, the to a cyber attack on the first day of virtual classes. A 16-year-old district student who took credit for the attack to a year of probation. 

Back in L.A., district leaders were warned on multiple occasions in the last several years that their cybersecurity safeguards weren鈥檛 up to snuff and that data had been compromised. 

In January, 2021, the district inspector general of an information security audit that identified lapses that required an 鈥渋mmediate remedy鈥� including 鈥渟ignificant risks around passwords and credentials鈥� and the lack of incident response planning and preparation. 

Having been presented with 鈥渁 laundry list of things that should have been done,鈥� it鈥檚 critical to understand how the district responded to the audit, said Turgal of Optiv Security. 

Carvalho also expressed concern about how the report鈥檚 recommendations were handled, saying his 鈥渇irst order of business鈥� is to 鈥渁ctually understand that report and ask the tough questions about why were a number, if not the majority of these measures, not acted upon.鈥� 

A month later, in February, 2021, cybersecurity experts with Hold Security used an intermediary to inform L.A. district leaders of more bad news. The computer for a school psychologist who was working from home had become compromised, Holden said, likely after she was duped by a phishing email. 

District officials worked quickly to patch the hole and there鈥檚 no evidence to suggest it contributed to the recent ransomware attack, but Holden said it should have served as 鈥渁 wakeup call’ and suggests that LAUSD probably hadn鈥檛 鈥減ut enough safeguards in place to prevent something like this.鈥� 

The incident also highlights the reality that cybersecurity attacks on school districts can net highly sensitive data about children, Holden said. 

鈥淚magine what kind of sensitive information, especially about minors, this person might have within her computer or within her access,鈥� he said. Compromised data from a school psychologist is 鈥渢he worst-case scenario of what the bad guys could steal, something that would be directly harmful to kids.鈥� 

Soni, the English teacher, said that hackers’ potential access to sensitive information is concerning. As an educator in the district, she said she has access to a significant amount of information about students, including their addresses, phone numbers and whether they鈥檙e in special education.

鈥淭here鈥檚 a lot on there, and to have everybody鈥檚 personal history be jeopardized, that is scary,鈥� she said. 鈥淥ne of my concerns is having the wrong people have access to information about me, and information about my students.鈥� 

LA School Report freelancer Destiny Torres contributed to this report

Help fund stories like this.