Lewis & Clark College cyberattack claimed by notorious ransomware gang

A cyberattack on Lewis & Clark College announced earlier this month has been claimed by a ransomware gang implicated in several attacks on K-12 schools and colleges over the last year.

The Vice Society cybercrime group took credit for the attack on Friday, posting samples of passports as well as documents that included Social Security numbers, insurance files, W-9 forms, contracts and more.

The Portland, Oregon, liberal arts college did not respond to requests for comment about whether a ransom was demanded or will be paid.

Starting on March 3, the school sent out several urgent messages on social media and on its website notifying students and employees that several of its systems were down.

The outages lasted until March 7, and on March 24, the school released a notice explaining that it “experienced an IT security incident which negatively impacted systems and services across” its campuses.

“We are working with external information technology experts to conduct a detailed technical investigation into the outage,” the school said. “Please keep in mind that our investigation is in the earliest stages and is still ongoing. Restoring normal operations and protecting data integrity are our top priority.”

Professors were told to give students time allowances for assignments, considering the widespread outages that affected Workday, Google Workspace, Box, Moodle, GoAnywhere, classroom technology, and much more.

On Friday, the school published a lengthy statement about the incident, confirming that it had been hit with ransomware and that after consulting with experts and law enforcement it was not planning to pay the ransom.

"When cybercriminals publish data of this nature, they do so on portions of the internet that are unindexed, not easily searchable, and only accessible by means of special software, which means that it may take a while to investigate the scope and nature of this claim," school officials said.

They urged students not to respond to any attempts by the ransomware group to contact them and said there was no action anyone should take at the moment. The school will be sending out breach notification letters if they "determine that the incident resulted in unauthorized access or acquisition of protected information related to students, faculty, staff, parents, or other friends of the college."

A penchant for institutions of learning

Vice Society continues to ruthlessly attack grade schools, colleges and universities, leaking troves of sensitive data onto the dark web from students of all ages.

The group published the mental health records of thousands of Los Angeles K-12 students after an attack last year and most recently took credit for an attack on the United Kingdom’s Tanbridge House School.

Emsisoft ransomware expert Brett Callow told Recorded Future News that attacks on the education sector do not appear to be slowing down.

“In fact, a near-identical number of US schools have been impacted by ransomware every year since 2019, so it would seem the efforts made so far to combat the problem have not been effective,” he said. “Many attacks on schools succeed because of fairly basic security shortcomings, and we really need to find a way to fix that.”

This week, it was revealed that a California community college paid $1.1 million in ransom to a group of hackers after it was crippled by an attack in July 2022.

Allan Liska, senior security architect at the cybersecurity firm Recorded Future, said that through the end of March, there have been 49 publicly reported ransomware attacks against schools. Recorded Future is the parent company of The Record.

“If trends hold, 2023 will likely surpass 2022 in terms of number of ransomware attacks against schools. 185 reported in 2022 and we are on track for almost 200 this year,” he said, noting that Vice Society accounted for nearly 20% of all attacks on educational institutions this year.

He noted that the attack on Lewis & Clark College brought the number up to 50 publicly reported ransomware attacks this year.

This article was updated with a statement from the college on March 31 at 5:15 p.m.