Vice Society, which is known for targeting school systems and higher education institutions, made that claim around Dec. 20, according to Brett Callow, a threat analyst with the cybersecurity firm Emsisoft who monitors ransomware attacks. The breach occurred on Nov. 22, according to Xavier President Reynold Verret's email to the university community on Dec. 22.
Based on past cases, Callow said the information could include payroll, personal finances, Social Security numbers, disciplinary actions and misconduct allegations.
Xavier officials declined comment about the alleged leak.
Callow said those affected could now be exposed to a range of identity-related fraud crimes. He said it is critical that the university notify the affected people of the specific information that was stolen, so they can assess their risk.
"If you don't tell people what happens, they don't know that they should be on high alert. It increases the chance that one crime could result in another," Callow said.
It is not clear how many people were affected in the Xavier attack, what information might have been leaked, or what university officials know about the extent of the theft. Verret's email last week said the university was "in the process of identifying and notifying anyone who may have been affected."
Vice Society claims to have to released the data on to the dark web, an area of the internet that is not picked up by search engines. Any malicious actor on the dark web can download the stolen data for their own purposes, which can include selling it to others.
"There have absolutely been cases where people have raked the data off these websites and tried to sell it on other cyber crime forums," Callow said.
Still, Callow said the university did the right thing if it refused ransom demands, as appears to be the case. He said there is no way to verify that gangs like Vice Society destroy stolen data upon payment, and that some organizations have been extorted more than once over the same data.
"If nobody paid, there'd be no ransomware. It's as simple as that," Callow said. "Paying keeps ransomware profitable, keeps the education sector in the gangs' crosshairs and does absolutely nothing to protect the people whose personal information has been impacted."
SCHOOLS TARGETED
Vice Society has carried out more than 100 cyber attacks around the world since it surfaced in mid-2021, according to Unit 42, a cybersecurity firm. About 40 of those attacks have targeted the education sector. The group has most frequently attacked U.S. organizations, but it has also carried out attacks in Europe, South America, Australia and elsewhere.
Vice Society attacked the Los Angeles Unified School District in September and leaked 500 gigabytes of sensitive student data, according to Wired magazine. That attack prompted federal authorities to issue a warning that the group was primarily taking aim at schools. The group has also been known to hit hospitals and health systems.
The Xavier attack is part of an increasing trend of attacks against higher education. Callow said his firm had tallied a minimum of 43 successful ransomware attacks against U.S. colleges and universities this year by all actors, an increase from 26 in 2021. Data was leaked in more than three-quarters of this year's cases, he said.
The amount of ransom demanded can range from the thousands of dollars to the millions, Callow said.
"These groups have access to networks. They have looked at the organization's financials, which may include its insurance policies. So they very often have a fair idea how much they may be able to extract," Callow said.
©2022 The Times-Picayune | The New Orleans Advocate. Distributed by Tribune Content Agency, LLC.
