During 2022, the UK’s education sector was subject to Ransomware and targeted at a much higher rate than in other countries.
Various security vendors such as TrendMicro, Malwarebytes and Microsoft have reported these findings based on where the victims have chosen not to pay the ransom. This suggests the rate of attacks could be higher than previously identified.
Reports reveal that the education sector accounted for 16% of attacks in the UK compared to 4% in France and Germany, and 7% in the US.
The primary reason for this has been identified as the threat actor known as Vice Society have chosen the UK as a favourite target. The threat actor known as Vice Society has been conducting ransomware and extortion campaigns against the education sector globally.
“Shifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions,” reads the technical write-up.
“In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.”
According to the technology company, Vice Society has been active as early as June of last year.
“While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832’s previous opportunistic attacks have affected various industries like local government and retail,” Microsoft wrote.
Because of these shifting targets, the security researchers have assessed that the group's motivations are financial in nature, and that the group continues to target companies with weaker security and a higher likelihood of compromise and connected ransom pay-out.
Microsoft released an advisory, sharing the methodology and toolset that is likely to be used.
These include using PowerShell scripts alongside repurposed legitimate tools, exploits for disclosed vulnerabilities for initial access and elevation of privilege, and commodity backdoors such as SystemBC.
“Ransomware has evolved into a complex threat that’s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years,” Microsoft said.
“To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations.”
For mitigation advice please see the NCSC’s mitigating malware and ransomware attacks.