Hackers set Monday deadline for LAUSD to pay up or have private data posted on dark web

L.A. schools Supt. Alberto Carvalho speaks to reporters about a cyberattack.
L.A. schools Supt. Alberto Carvalho speaks during a recent news conference at Roybal Learning Center about a major cyberattack on the school system.
(Francine Orr / Los Angeles Times)

A criminal syndicate has set a Monday deadline for the Los Angeles public school system to pay a ransom or have its data released on the dark web, which could potentially expose the confidential information of students and employees.

In response, L.A. schools Supt. Alberto Carvalho said Friday that the district would not pay the ransom and would not negotiate, following the advice of law enforcement and federal officials.

The deadline was posted on the dark web site maintained by Vice Society, which had informally confirmed to at least three reporters that it was responsible for the hack that L.A. Unified uncovered while it was in progress on Sept. 3, during the Labor Day weekend when most district employees were off work for four days.

District and law enforcement officials have declined to name Vice Society as the culprit, but federal officials posted a warning to education institutions about the syndicate immediately after the attack on the nation’s second-largest school system.


A group called Vice Society says it took sensitive data from L.A. Unified “just for money and pleasure.”

Sept. 9, 2022

Carvalho has acknowledged that the attack came from a group that is familiar to law enforcement and known for attacking school systems. On Friday, Carvalho did not contest media accounts identifying Vice Society. He continued his previous practice of not naming the amount that is being demanded.

“What I can tell you is that the demand — any demand — would be absurd,” Carvalho said. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”

In a statement released later, he added: “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”

The claim of responsibility became official with a posting on the dark web. A screenshot shows the Vice Society logo and its catchphrase “ransomware with love.” The site lists as “partners” the entities that it claims to have victimized. These now include the L.A. Unified School District, which is listed along with the district logo.

“The papers will be published by London time on Oct. 4, 2022, at 12 a.m.,” the webpage states. A countdown clock ticks down the time to the deadline. Midnight in London would translate to 4 p.m. Monday in Los Angeles.


Hackers this year have attacked at least 27 U.S. school districts and 28 colleges, according to cybersecurity expert Brett Callow, threat analyst for the digital security firm Emsisoft. At least 36 of those organizations had data stolen and released online and at least two districts and one college paid the attackers, Callow said.

Vice Society alone has hit at least nine school districts and colleges or universities so far this year, per Callow’s tally.

Officials did not disclose how much cyber-ransom is sought from nation’s second-largest school system.

Sept. 20, 2022

“What we now know is that whatever data Vice Society has will be released on the dark web in a little under four days,” Callow said. “We don’t, however, know what that data is, how much of it there is or, for that matter, whether this is a bluff and they obtained no data at all.”

When the attack was discovered, district technicians quickly shut down all computer operations to limit the damage and officials were able to open campuses as scheduled on the Tuesday after the holiday weekend. The shutdown and the hack combined to result in a week of significant disruptions as more than 600,000 users had to reset passwords and systems were gradually screened for breaches and restored.

During this rebooting, technicians found so-called tripwires left behind that could have resulted in more structural damage or the further theft of data. The restoration of district systems is ongoing, but there also was another element of the attack: the exfiltration of data.


The hackers claim to have stolen 500 gigs of data — a claim that is impossible to verify unless the hackers returned a copy to district officials as proof. This is the information that the syndicate says it is prepared to release publicly.

Carvalho repeated on Friday that he believes confidential information of employees was not stolen. He is less certain about information related to students, which could include names, grades, course schedules, disciplinary records and disability status.

Whatever the case, he said, the district will provide assistance to anyone who is potentially harmed by the release of data, including by setting up an “incident response” line at (855) 926-1129. Its hours of operation are 6 a.m. to 3:30 p.m., Monday through Friday, excluding major U.S. holidays.

The district also has set up a cybersecurity task force, and the school board has granted Carvalho emergency powers to take any related step he feels is necessary.

L.A. Unified Supt. Carvalho will have emergency authority to approve spending and other measures to restore district computer systems and data.

Sept. 13, 2022

The internal systems most damaged were in the facilities division. Carvalho said it was necessary to create workarounds so that contractors could continue to be paid and repairs and construction could continue on schedule.


In responding to the hack, the school system has worked with law enforcement, the federal government and both private-industry and in-house experts.

Cybersecurity expert Jeremy Kirk said that data theft often happens first during an attack, going on unnoticed, before the hackers make a frontal assault to encrypt and take down entire computer systems.

“Organizations and companies are extorted by ransomware gangs two ways these days,” said Kirk, executive editor for security and technology at Information Security Media Group. “First, they’re asked to pay to get decryption keys to recover their scrambled data. If that doesn’t work, they’re asked to pay to stop the public release of data that a ransomware group has stolen prior to encrypting the data.”