LAUSD Ransomware Attack Foreshadowed By 2021 Intrusion

Cyber intel firm warned LAUSD in 2021 that intruders had broken-in; LAUSD still working to recover from the more recent incident that caused widespread disruption.

Getty Images/iStockphoto

Security researchers say last week’s announcement that the Los Angeles Unified School District had been the target of a recent ransomware attack — was at least the second such incident in the last two years.

In February, 2021 the cyber intelligence firm Hold Security notified LAUSD that intruders, likely associated with the so-called TrickBot ransomware gang, had obtained login credentials and were inside the school district’s networks.

“We acted swiftly, we identified them moving around the network, and with forewarning, this attack was stopped,” Hold Security CISO Alex Holden told the I-Team.

“We saw that this infected computer stopped responding to the bad guys. So that was a simple, everyday victory for us,” he said.

The prior intrusion, first reported by Data Breach Today, should have led to security improvements beyond the typical warnings to users of potential malware and ‘phishing messages,’ Holden said.

LAUSD declined to answer questions about the 2021 incident or provide updates about the more recent events, referring NBCLA to its previously-issued press releases and Twitter feed for information.

The LAUSD announced Sept. 6 that it had been targeted in an attempted ransomware attack that disrupted a number of the school district’s networks, but said it was unclear if the personal information of students and employees had been stolen.

Last Friday Superintendent Alberto M. Carvalho said the District had not had direct contact with the entity that gained access to its systems, and said after a few days of assessment it appeared the intruders had gone further than initially thought.

“We have not received a ransom demand, nor have we sought a direct communication with the entity,” he told reporters. “We came across evidence of other areas, particularly within the servers that we needed to circumvent or clean before moving forward.”

On Tuesday the LAUSD’s oversight board considered declaring an emergency in order to speed the recruitment of an outside firm to assist with fixing systems damaged by the incident and closing any security holes that had allowed access.

Also last week CISA, the federal agency under the Department of Homeland Security responsible for cyber threats, issued a bulletin that appeared tied to the LAUSD event.

CISA warned the ransomware group known as “Vice Society” has been targeting educational institutions.

On Sept. 8, IT security reporter Jeremy Kirk, the author of the Data Breach Today article, tweeted that he’d received an email from someone purporting to be with Vice Society confirming its participation in the LAUSD attack.

“So…did Vice do the LA attack?” Kirk asked in a screenshot of the message.

“Yes” was the only reply.

The FBI in Los Angeles is investigating the LAUSD attack.

Contact Us