Cybersecurity analysts said Tuesday that data believed to be from Mars Area School District was published online by the ransomware group Vice Society. The group claims the data was stolen from the district during a recent hack.

In a tweet Tuesday morning, cybersecurity threat analyst Brett Callow of the malware protection company Emsisoft said Vice Society posted files they claimed were from Mars Area on its “dark web” site.

Mars Area reiterated in a statement posted on the district’s website Tuesday night that the district is investigating the attack. The announcement confirmed that the district recently learned that “certain Mars data was leaked online as a result of the incident.”

“Protecting the security and privacy of personal information and student information is of the utmost importance to Mars Area School District,” the announcement read. “We are conducting a thorough investigation with leading information security experts. We have also reported this incident to law enforcement. Our investigation is ongoing, but, at this time, we cannot say for certain what data was impacted.”

The district said in the statement that any impacted individuals will be notified once the investigation concludes, “in accordance with the relevant data security laws.”

Mark Gross, district superintendent, said the investigation is ongoing, and that the district is working with cybersecurity advisers Arete Advisors, and holding daily meetings on the situation.

“They did confirm that there was a posting of something, but we don’t know what that something is,” Gross said. “We are waiting to get briefed on that.”

Callow explained that a site on the dark web is in an area of the internet that can be accessed only with special browsers and can’t be found through search engines.

Cybersecurity analyst and security researcher Dominic Alvieri said on Twitter that Vice Society “is responsible for the Mars Area School District (attack) and files have been leaked.”

According to a September 2022 warning from the U.S. Cybersecurity and Infrastructure Security Agency, Vice Society is an “intrusion, exfiltration, and extortion hacking group” that first appeared in summer 2021.

Callow described Vice Society’s tactic as twofold: the group first steals the target’s data, and then locks the target’s computer systems, demanding a ransom to first unlock the system and second to supposedly delete the stolen data.

The Vice Society ransomware group also claimed responsibility for a recent hack on the country’s second largest school district, Los Angeles Unified School District.

The CISA warning says that Vice Society is known for “disproportionately targeting the education sector” with its ransomware attacks. Schools may be seen as “particularly lucrative targets” due to the amount of sensitive student data available through school systems, the warning reads.

“Over the past several years, the education sector, especially kindergarten through 12th grade (K-12) institutions, have been a frequent target of ransomware attacks,” the warning explains. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.”

Callow said that while other hacking groups target random organizations without much pattern, Vice Society is known for going after school districts.

“Most ransomware gangs aren’t particularly specific in the type of organization they target, but Vice Society for some reason seems to have a strong preference for the education sector,” he said.

Callow said the data published may not be all of the data obtained by Vice Society, as ransomware attackers often post a portion of data online in order to convince victims to pay the ransom.

“If that doesn’t convince the organization to pay, they will release the rest of the data, if they have any,” Callow said. “There’s no way of knowing at this point how much data Vice Society may have obtained, or whether what they have released online is all of the data, or whether there is still more to come."

Ransomware attacks are a common form of cybersecurity incident, said Dr. Naresh Adhikari, assistant professor of cybersecurity at Slippery Rock University.

“Ransomware attacks can happen anywhere,” he said. “A ransomware attack can be an attack where an attacker locks computing resources — anything like a computer or server or website or file that the user is the owner of — and then the attacker wants money in return for releasing the locks.”

The attacks often are carried out by stealing passwords or encryption keys, which the attacker then uses to take control of the victim’s computer systems, he said.

“Most of the time, what the attacker does is they exploit small information on the system and discover more resources, ultimately getting the ownership of the encryption keys, or password, or critical information that unlocks the computing resources,” Adhikari said.

Organizations can help avoid ransomware attacks by being careful where their passwords or encryption keys are stored, keeping separate backups or copies of information, and avoiding “phishing” attacks, or attempts by potential hackers to steal user passwords by posing as a legitimate site or email.

“Usually, phishing is one of the tools that is used to hack or get possession of the user’s credentials,” he said. “We need to avoid phishing sort of attacks before we want to defend from ransomware attacks.”