Active since at least early June 2021, the Vice Society hacking group has been actively targeting organizations with ransomware and extortion campaigns. Its recent attacks have made up a significant chunk of the total known attacks on the educational sector for 2021 and 2022 so far.
The latest findings
According to a report by Microsoft, Vice Society (tracked as DEV-0832) launched frequent attacks against the global educational sector between July and October.
The ransomware group has been juggling between payloads such as BlackCat, QuantumLocker, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware. It has been observed in attacks with HelloKitty/Five Hands ransomware as well.
Since September, Vice Society has shifted to a modified version of its payload dubbed RedAlert that adds the .locked file extension to encrypted documents.
Tools and malware used
Vice Society’s attacks included custom PowerShell scripts and commodity backdoors such as SystemBC and PortStarter.
It further used commodity tools named Advanced Port Scanner and Advanced IP Scanner.
Other additional tools include WMIC, Impacket’s WMIexec, Impacket Atexec, Vssadmin, Mimikatz, PsExec, and legitimate data sync tools such as Rclone and MegaSync for data exfiltration.
Attack strategy
Vice Societytargets organizations with weaker security controls (with exploitable vulnerable web-facing applications) and using valid accounts to gain an initial foothold in compromised networks.
It gathers privileged credentials, moves laterally using RDP, collects and exfiltrates data, gains post-compromise elevation of privilege, and deploys ransomware.
In some cases, the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.
In other cases, it exfiltrates data from compromised systems before encryption and uses it for double extortion, threatening victims to leak it online if the ransom is not paid.
Conclusion
Vice Society is a perfect example of the success of a mediocre ransomware ecosystem capitalizing on weaker systems. It has earned enough stability to launch attacks on its own and its new ties indicate that it is trying to grow as a threat while focusing on larger victims. A recent alert by the FBI, the CISA, and the MS-ISAC urged education organizations to take the right steps to protect against Vice Society.