K-12 Organization Stops a Ransomware Attack Post-Compromise

In 2022, a single click can cause chaos for an educational institution. That is what one large school district discovered earlier this year when an unsuspecting instructor opened a legit-seeming PDF on their work computer, only to discover that doing so had introduced malicious malware code that had the potential to compromise the entire school's digital ecosystem.

Thankfully, this organization's security team was able to detect signs of compromise and worked quickly—ultimately shutting out the attackers before damage was done—but a recent government security advisory shows why their success story is becoming the exception, not the norm for today's educational institutions.

Cybersecurity Advisory: K-12 Education is Vulnerable to Ransomware

In early September, the FBI, CISA, and MS-ISAC addressed these issues in a joint cybersecurity advisory warning that a relatively new ransomware group known as Vice Society is targeting K-12 education organizations, leading to "restricted access to networks and data, delayed exams, canceled school days, and theft of students' and staff's personal information," according to the advisory.

The warning follows some bleak trends for K-12 institutions which are seen as particularly lucrative targets due to the volume of sensitive student data stored in school systems. Attackers also see high success rates for attacks on education: According to a 2022 Sophos report, 72% of attacks on lower education organizations result in data encryption. The report also found that the number of ransomware attacks on lower education organizations reportedly grew 56% in 2021, while higher education attacks grew 64%—with average recovery costs of $1.58 million and $1.42 million, respectively.

How Vice Society Infiltrates Educational Networks

Vice Society is an intrusion, exfiltration, and extortion hacking group; they first appeared in Summer 2021. By June of this year, Vice Society had claimed 88 victims—over a quarter of which were education-related entities.

The group deploys known ransomware, such as Hello Kitty and Zeppelin. Their strategy is to obtain initial network access by exploiting internet-facing applications. But rather than immediately deploying ransomware, the group spends time exploring the network, increasing access, and exfiltrating sensitive data. Once it finds the right information, it extorts the victim—threatening to release data to the public if its demands are not met.

By presenting their malware and tools as legitimate files, they are able to evade detection. This gives them time to escalate privileges from within, using the PrintNightmare vulnerability. Once they have gained access to domain administrator accounts, they can run scripts to change victims' network passwords—at which point there is little the victim can do but acquiesce.

How One School District Evaded Ransomware

The school district—which was on a similar scale to a large enterprise—had a mature cybersecurity organization with a tech stack that included three EDR tools, next-gen firewalls, and ExtraHop Reveal(x) network detection and response (NDR).

For this school, the click of a malicious PDF introduced malware onto an endpoint. The malicious file was able to bypass the district's EDR and firewall security measures by using very similar tactics to the ones that Vice Society employs, including obfuscating techniques such as file compression, designed to disguise an otherwise malicious payload. These techniques effectively allow a malicious document to masquerade as a legitimate file. Knowing the risks of this type of endpoint evasion, the security team used Reveal(x) as part of a layered security strategy—a plan that paid off when they spotted a data exfiltration detection.

The detection fired when behavior-based detectors in Reveal(x) flagged an unusually large file transfer. In their investigation, the team was able to quickly determine that data was being sent to an unknown external IP address. From that point, the security team went to work to quickly stop the Ransomware at the source, effectively preventing it from affecting other points of the network within about an hour—before any large-scale exfiltration or encryption could take place.

The organization's chief security officer (CSO) was pleased with the results, but in the end reached out to ExtraHop to make future directions even faster by adding signatures for this specific threat on top of the behavior-based detections that caught the initial instruction—further reducing the time to respond from an hour to minutes, should this threat try again.

As attackers become better at concealing their activities, the power of detecting threats post-compromise with the use of behavior-based detection is critical to stopping unknown or evasive threats. By implementing the right mix of tools, detecting threats early, and acting fast, the team at this educational institution was able to spare the work of cleaning up malware, dealing with encrypted files, and ultimately saving the school day for their students.