Secure Connect

We need to embrace cybersecurity to future-proof schools

20 September 2023

How have cyberattacks gone from being an annoyance to the most tangible threat faced by education today? Who is responsible? And how can industry leaders tackle this problem? SecurityHQ explains.

The threat landscape of the education sector
SecurityHQ is anticipating an increase in attacks from 2022/2023 targeting the education sector. According to Gov.uk, 85 percent of higher education institutions in the UK have identified breaches or attacks in the last 12 months.

SecurityHQ has identified that the plethora of Internet of Things (IoT) devices being used across school infrastructures provides the perfect initial access vector to internal networks. 

Targeting vulnerable IOT devices is effective due to the fact these devices are internet-connected, and rarely built with security in mind, leading to inherit vulnerabilities that malicious actors can exploit. This has led to the prevalence of the threat actor known as Vice Society.

What is Vice Society and why should you care?
Part of what sets Vice Society aside from other ransomware actors/groups, is their approach. They often exploit known vulnerabilities, and often will target a sector known for having a limited IT budget, and which also holds a large amount of sensitive data.

Schools hold vast amounts of PII data on those under the age of 18, yet are repeatedly found to be lacking in the most basic cybersecurity controls. 

Many school IT departments take the form of an IT teacher, not a department. This strikes a contrast to industries like finance, which follow rigid regulations in relation to sensitive information. This has led to a scenario where scores of poorly protected information are almost readily available to malicious actors.

How does Vice Society operate?
Vice Society are an opportunistic threat actor, primarily targeting the USA, UK, Spain, and Australia. They are known for using versions of Hello Kitty/Five Hands and Zeppelin ransomware, and obtaining initial access through compromised credentials, which is considered typical for threat actors, but have been observed exploiting internet-facing devices.

From here, Persistence is achieved through scheduled tasks, creating registry keys, and utilising malicious dynamic link libraries (DLLs).

Cybersecurity for too long has been an afterthought of institutions who, in many cases, either do not see the benefit of assigning financial resources to a dedicated cybersecurity program or are prepared to pay a ransom at the expense of their students.

Ransom demands
Regulatory fines are rampant in the education sector, especially considering that schools and universities have troves of personal data regarding underage students. But these regulations are often not made a priority until it is too late.

In a case of double extortion, the breach of South Carolina-based company Blackbaud led to the details of students from the University of Birmingham being leaked, after the ransom had been paid to malicious attackers. It was reported in 2020 that Blackbaud faced at least 10 lawsuits in the US over this single breach. 

Looking back at Vice Society, when the ransom demands have been analysed, the following can be seen.

• Initial demands by this actor could exceed $1 million
• Final demands after negotiations were as high as $460,000
• Vice Society have gone on to assert that they publish all available data in the event of failure to pay a ransom

These ransom demands are often published by the threat actors themselves, which allows our SecurityHQ researchers to understand the threat more clearly. Vice Society’s use of diverse ransomware families, which operate across both Windows and Linux systems, shows that they’re continually evolving, and must be considered a dynamic and prevalent threat.

Next steps with SecurityHQ
An MSSP can help alleviate cybersecurity issues within education by providing the necessary expertise to bridge any knowledge gap, assist with regulatory compliance, and streamline vulnerability management across the organisation.

• SecurityHQ’s Vulnerability Management as a Service (VMaaS) offering can ensure your digital estate is less exposed to malicious actors and is protected and always hardened. This will, of course, target interfacing devices, denying malicious actors their initial ingress route

• Managed Endpoint Protection (EPP) allows any threats targeting a large environment to be prevented and contained, mitigating any potential damage

• Threat and Risk Intelligence (TRI), means artefacts and intelligence from the Dark Web can be used to give early warning signs, take preventative actions, and even track down the advanced threat actors targeting before they have a chance to launch an attack

SecurityHQ’s Cyber Security Managers and Analysts are highly certified, coming from infrastructure, network, and development backgrounds, and can cover every area of an extensive technology stack. With 24/7/365 Global SOCs, incident response around the clock is provided, meaning you are never without protection.

To speak with one of its experts, get in contact here.


Print this page | E-mail this page


Stone Junction Ltd

This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.