The Lawrence Family Development Charter School (LFDCS) became the latest cyber attack victim in the US education sector, with the Snatch ransomware claiming responsibility for the LFDCS cyber attack.
In a Twitter post, threat analyst Brett Callow shared a screenshot of the leak site where the group had claimed responsibility for the cyber attack on the U.S.-based school.
The hacker collective added the institution’s name to its victim list on May 3, post the alleged LFDCS cyber attack.
The LFDCS cyber attack and the US educational institutions
The Cyber Express contacted the authorities of the school to confirm the LFDCS cyber attack, however, we are yet to receive a response. The attacked website of LFDCS was accessible at the time of writing.
It is not clear whether a ransom was demanded by the ransomware group. Moreover, no deadline for paying the ransom was declared by the group.
Nearly 29 post-secondary U.S. schools have been targeted by ransomware groups so far, Callow highlighted in a tweet while sharing a statistics report on ransomware in the US published this January.
Nearly 44 universities and colleges were attacked last year; this may exclude some incidents as not all cyber attacks were disclosed publicly, the research report stated.
“Small colleges and universities are unlikely to be able to invest as much in cybersecurity as larger organizations, and that means they’re merely likely to be caught in spray-and-pray attacks,” Callow told The Record Media while highlighting the need for cybersecurity funding and the state of security in US schools.
Snatch ransomware group, and the LFDCS cyber attack
The Snatch ransomware group has been active since at least 2018 and works with the Go programming language for malware. Snatch used the .snake file extension among others on encrypted files.
“The latest Snatch ransomware variant encrypts files on the victim’s machine and appends a “.gaqtfpr” extension to the affected files,” a Fortinet blog on Snatch read.
They post email addresses for the victim to communicate with the group along with instructions on how to send the email.
Snatch malware is a collection of tooling, including a ransomware component, a separate data stealer, a Cobalt Strike reverse-shell, and publicly available tools.
It appears to have been built by the criminals who operate the malware. Snatch has been programmed in Go, but it doesn’t seem to be multiplatform as it can only run on Windows operating systems.
The malware can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions, and is packed with the open-source packer UPX to obfuscate its contents.
The SophosLabs researchers recently found that the Snatch ransomware gang’s malware forced Windows machines to reboot into Safe Mode before starting the encryption process.
Snatch then runs in elevated permissions mode, sets registry keys, instructs Windows to run it following a Safe Mode reboot, and encrypts the disk while running in Safe Mode.
This technique could be used to circumvent endpoint protection as it doesn’t run in Safe Mode, the researchers warned.
CISA and the safety of educational institutions
America’s cyber defense agency the Cybersecurity Infrastructure Security Agency (CISA) has spoken about cybersecurity in US educational institutions and how it partners with various governmental and legal bodies to thwart threats.
CISA has urged educators, staff, and students to peruse the website SchoolSafety.gov for resources, guidance, and all the information needed to secure systems and report cyber incidents.
However, the LFDCS cyber attack is just another addition to a long list, as the US educational institutions and the sector continue to be low-hanging fruits for ransomware gangs.
Ransomware attacks in the education sector are on the rise, with nearly 1,000 schools impacted by these attacks in 2021, affecting around a million students.
The cost to education institutions is estimated to be around $3.5 billion in downtime alone, without including ransomware payments.
Hackers study the means of institutions and set their ransoms accordingly, with payouts varying from $100,000 to $40 million.
Vice Society, a ransomware gang that uses forks of pre-existing ransomware families, has been particularly active in targeting the education sector with ransomware attacks, warned a CISA alert.
School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk,” said the alert.
