Ransomware gang hits second-largest US school district

FBI and CISA on-site to assist with incident response over Labor Day weekend

Updated Cybercriminals hit the Los Angeles Unified School District (LAUSD) over the holiday weekend with a ransomware attack that temporarily shut down email, computer systems, and applications.

Federal agencies including the FBI and CISA are working on-site to assist the US's second-largest public school district in its response.

"Based on a preliminary analysis of critical business systems, employee healthcare and payroll are not impacted, nor has the cyber incident impacted safety and emergency mechanisms in place at schools," the school district noted in a Monday alert. 

LAUSD did not, however, provide details about what type of student and employee information the crooks accessed, who was responsible for the attack, or whether district officials paid the ransom demand.

Despite the breach, which the district described as "criminal in nature," schools were open on Tuesday. The Southern California district typically enrolls more than 640,000 students from kindergarten to 12th grade.

"While we do not expect major technical issues that will prevent Los Angeles Unified from providing instruction and transportation, food or Beyond the Bell services, business operations may be delayed or modified," the notice posted on the district's website said.

Shortly after detecting the attack on its IT systems, the school district called in law enforcement and "swiftly implemented a response protocol" before escalating the response all the way to the White House, according to the security alert: 

"After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies."

Additionally, the district says it deployed additional IT personnel to assist with technical issues and committed to direct "any necessary funding" to improve security while developing mandatory security training for all district employees.

Also in response to the ransomware attack, the district says it will convene an independent IT task force charged with developing a set of network security recommendations within 90 days.

The attack on LAUSD marks the 50th US education body to fall victim to ransomware gangs so far this year, according to Emsisoft threat analyst Brett Callow. This list includes 26 colleges and universities and 24 districts with 1,727 schools between them, Callow noted in a series of Tweets.

For comparison, ransomware gangs hit 88 education sector organizations in 2021.

"These attacks have the potential to put kids at risk," Callow told The Register

"For example, past incidents have seen schools unable to tell which kids were actually in school or who was authorized to pick them up or access their medical info. Thankfully, however, nothing terrible has happened so far and the effects of attacks so far have been limited to disruption and costs."

The costs, however, could reach multiple millions of dollars. For example, Callow noted, Baltimore County Public Schools, a much smaller district with fewer than 200 schools compared to LAUSD's 1,000-plus schools, spent more than $8 million to recover after a ransomware attack. ®

Updated to add

While the Feds have not directly blamed the LAUSD ransomware infection on extortion gang Vice Society, a joint security advisory from the FBI, CISA, and MS-ISAC came pretty close.

“The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks” as recently as September, today’s advisory stated, noting that criminals most frequently target kindergarten through 12th-grade institutions.

Additionally, Uncle Sam expects “attacks may increase as the 2022-2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks,” according to the alert.

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022