Intelligence experts in the United States are warning schools of the increased chance of cyberattacks as the semester kicks into full swing. 

In a bulletin issued Tuesday, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency said actors from Vice Society – a ransomware threat first identified in summer 2021 – have been “disproportionately targeting the education sector with ransomware attacks,” with some identified as recently as this month. 

Vice Society in particular targets educational institutions, as well as healthcare businesses and non-governmental organizations. They work by targeting internet-facing applications and then mining for personal data, which the actor then threatens to publicly release unless the target agrees to pay a ransom.

Intelligence officials on Tuesday wrote they “anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks,” warning that K-12 schools might be “particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.” 

In order to prepare for the possibility of a cyber attack, the FBI and CISA advise institutions maintain offline backups of data; document all external remote connections; require all accounts to comply with nationally-recognized password strengthening recommendations and implement a recovery plan, among other actions. 

The intelligence community’s warning came soon after a ransomware attack targeted the massive Los Angeles school district, prompting an unprecedented shutdown of its computer systems and an ongoing investigation with both local and national law enforcement. 

Authorities believe the LA attack originated internationally and have identified three potential countries where it may have come from, though LA Superintendent Alberto Carvalho would not say which countries may be involved. Most ransomware criminals are Russian speakers who operate without interference from the Kremlin.

LA officials did not identify the ransomware used.

The attack on the Los Angeles Unified School District sounded alarms across the country, from urgent talks with the White House and the National Security Council after the first signs of ransomware were discovered late Saturday night to mandated password changes for 540,000 students and 70,000 district employees.

Though the attack used technology that encrypts data and won’t unlock it unless a ransom is paid, in this case the district’s superintendent said no immediate demand for money was made and schools in the nation’s second-largest district opened as scheduled on Tuesday.

Such attacks have become a growing threat to U.S. schools, with several high-profile incidents reported since last year as pandemic-forced reliance on technology increases the impact. And ransomware gangs have in the past planned major attacks on U.S. holiday weekends, when they know IT staffing will be thin and security experts relaxing.

So far this year, 26 U.S. school districts — including Los Angeles — and 24 colleges and universities have been hit by so-called ransomware, according to Brett Callow, a ransomware analyst at the cybersecurity firm Emsisoft.

With victims increasingly refusing to pay to have their data unlocked, many cybercriminals instead use the same technology to steal sensitive information and demand extortion payments. If the victim doesn’t pay, the data gets dumped online.