The Vice Society ransomware gang has been targeting educational institutions (over 26% of its attacks) with human-operated, double-extortion ransomware phishing attacks. This ransomware group is relatively new to the world of cybersecurity, and it commonly gets into networks or computer systems by using malicious documents containing ransomware in phishing attacks.

• Phishing is a type of social engineering where a bad actor (“attacker” or “hacker”) sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. In the case of Vice Society, the victim opens and inadvertently deploys ransomware (a program that performs an unwanted function) via email. For example, you might get an email that seems to be an invoice email. It might say, “Open this invoice. It’s now overdue, and immediate attention is needed,” or something similar. When a person opens the attachment, it executes ransomware which gives the hacker access to your system.
• The ransomware they use is a double extortion ransomware in which the hackers’ ransomware secretly extracts their victim’s sensitive data and encrypts it. This gives the hacker leverage to collect ransom payments. In these double extortion attacks, Vice Society gains access to a victim’s network via malware planted by phishing. They then locate and copy files they deem high value (for example, SSNs, medical information, data about minors) from across the network. After copying this data offsite, they encrypt the data on their victim’s server, delete their victim’s backup data, and demand a ransom. If the ransom is not paid, the hackers will publish the data—potentially exposing the victim’s sensitive information. Vice Society does not make empty threats. If you do not make a ransom agreement, they will almost always release data. They also release data if they believe other cyber experts are involved.

These hackers have paid close attention to victims’ reactions to their attacks and have quickly incorporated new tools in response. To defend against such ongoing attacks and the nimble responses of these hackers, you should implement the workarounds provided by your cybersecurity teams or your cybersecurity software solutions, including applying any available patches and other fixes, as soon as possible to remove attack vectors.

Reducing the Threat of Double Extortion Ransomware

Due to the ongoing rise in malicious activity with ransomware attacks against educational institutions and businesses since the onset of COVID-19 and the increase in remote learning and working, CISA, in collaboration with the FBI, maintains a fact sheet, Cyber Threats to K-12 Remote Learning Education and a Cybersecurity Awareness Program Tookit.