A joint warning issued by the FBI, CISA, and MS-ISAC highlights another ransomware gang who is targeting the education sector. The Vice Society ransomware group has breached schools and colleges, stealing their sensitive data and demanding ransomware payments. As is so often the case with Ransomware attacks, if the ransoms aren’t paid, the files stolen may remain locked and the personal information of the victims can be exposed online.

According to the warning that was released, Vice Society likely gains access to the data by gaining access to the network through compromised login credentials by exploiting unspecified internet-facing applications.

Once the attackers are in the network, they explore and access the sensitive data with the intention of releasing it if a ransom payment demand is not met.

The group likely exploits known vulnerabilities (such as the PrintNightmare vulnerability found in Windows’ print spooler service) to spread laterally within an organization.

Once the data and been stolen, the group launches their attack. The data is encrypted and a ransom is displayed. A message displays noting that documents, photographs and databases have been stolen and encrypted – and that the contents of the files will be shared on underground websites if the ransom isn’t paid within seven days.

Past victims of the Vice Society Ransomware gang have been located in the United States, United Kingdom and Australia.

The ransomware gang attempts to scare their victims into abandoning any source for help. In the warning they receive it notes that using a third party to try and decrypt the files “may cause increased price (they add their fee to ours) or you can become a victim of a scam.”

The Vice Society ransomware group appears to be true to their word. On their site based on the dark web, the group lists past victims (which they sardonically refer to as “partners”), and links to files stolen from each of them. In one example, a directory seems to house passport scans that appear to belong to students who attend a UK-based school.

The FBI is strongly discouraging victims from paying ransoms, and are urging victims to share whatever information they have that may help disrupt or dismantle the ransomware gang.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addesses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file” they said in their warning.

Story via Tripwire