Vice Society

Last updated
Vice Society
Formation2021
TypeHacking

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. [1] The group emerged in the summer of 2021 and is believed to be Russian-speaking. [2] [3] Vice Society uses double extorsion and does not operate a ransomware as a service model.

Contents

They have attacked targets in both Europe [4] [5] and the United States, including a major compromise of the Los Angeles Unified School District. [6]

Description

The group emerged in the summer of 2021. [7] It has disproportionately targeted the education sector. Research from cybersecurity firm Palo Alto Networks found that Vice Society had listed 33 schools on its data leak site in 2022 alone. [8] Experts categorize Vice Society as a "second- or third-tier" ransomware group in terms of sophistication. However, its prolific attacks on lesser-known schools and regional hospitals have allowed Vice Society to fly under the radar. [9]

Vice Society engages in double extortion, stealing data for leverage in ransom negotiations. They threaten to publish exfiltrated data on dedicated leak sites if ransom demands are not met. Initial ransom demands have exceeded $1 million USD, with final negotiated amounts around $460,000 USD. [10] The group is known to negotiate ransoms down from initial multimillion dollar demands. [8]

Unlike many ransomware groups, Vice Society does not operate using a ransomware as a service model with affiliate hackers. Instead, the group conducts its own intrusions and deployments. This allows Vice Society to quickly move through target networks, with dwell times as short as 6 days before detection. [8]

The group gained significant attention in late 2022 and early 2023 due to a series of high-profile attacks, including one targeting the rapid transit system in San Francisco. [1]

Tactics and techniques

According to the U.S. Cybersecurity and Infrastructure Security Agency, Vice Society have not developed their own in-house attack tools, instead using the Hello Kitty/Five Hands and Zeppelin ransomware toolkits. [3] More recently, the group has developed its own custom ransomware builder and implemented stronger encryption methods. [1]

Vice Society threat actors have exploited vulnerabilities such as PrintNightmare (CVE-2021-1675, CVE-2021-34527) to gain initial access to target networks. [10]

The group primarily gains initial network access by exploiting internet-facing applications through compromised credentials. Prior to deploying ransomware, Vice Society actors spend time exploring the network, seeking opportunities to increase access and exfiltrating data for double extortion purposes. In order to move laterally, they employ various tools such as SystemBC, PowerShell Empire, and Cobalt Strike. Moreover, the group utilizes techniques like targeting the legitimate Windows Management Instrumentation service and tainting shared content. They have also been observed exploiting the PrintNightmare vulnerability to escalate privileges. To maintain persistence, Vice Society utilizes scheduled tasks, undocumented autostart Registry keys, and DLL side-loading. In an effort to evade detection, the actors disguise their malware and tools as legitimate files, employ process injection, and likely utilize evasion techniques against automated dynamic analysis. Additionally, Vice Society actors have been known to escalate privileges, gain access to domain administrator accounts, and change victims' network account passwords to impede remediation efforts. [7]

An analysis of Vice Society's tactics showed the use of tools like Cobalt Strike and Mimikatz to escalate privileges and move laterally within a network. The group disables antivirus software and deletes system logs to evade detection. Encrypted files are appended with the ".v1cesO0ciety" extension and a ransom note is displayed. [11]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers. Its activities are a continuation of the National Protection and Programs Directorate (NPPD), and was established on November 16, 2018, when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018.

Cisco Talos Intelligence Group is a cybersecurity technology and information security company based in Fulton, MD that’s a part of Cisco Systems Inc. Talos’ threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Conti is a is a notorious ransomware that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Cyclops Blink is malware that targets routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C).

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Ransomware as a service is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

{{Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization, between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a prominent cybercriminal group known for its professional operations and strong affiliate program. They employ a ransomware as a service (RaaS) model and consistently develop new techniques to stay ahead of their competitors. They use double extortion tactics where they not only encrypt the victim's data but also threaten to leak it if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actors that exploits it.

References

  1. 1 2 3 "Vice Society Ransomware Group Targets Manufacturing Companies". Trend Micro. 2023-01-24. Retrieved 2023-07-17.
  2. Newman, Lily Hay. "How Vice Society Got Away With a Global Ransomware Spree". Wired. ISSN   1059-1028 . Retrieved 2022-10-22.
  3. 1 2 "Alert (AA22-249A) #StopRansomware: Vice Society". Cybersecurity and Infrastructure Security Agency. September 8, 2022. Retrieved 2022-10-22.
  4. "Internet-Erpresser veröffentlichen Gigabyte an vertraulichen Daten der Gemeinde Rolle VD" (in German). Retrieved 2021-11-01.
  5. "Wenn ein Cyberangriff eine Hochschule ausknockt" (in German). Der Spiegel . Retrieved 2022-01-13.
  6. Gooding, Matthew (2022-09-26). "Vice Society claims ransomware attack that hit six UK schools in Scholars' Education Trust". Tech Monitor. Retrieved 2022-10-22.
  7. 1 2 "#StopRansomware: Vice Society | CISA". www.cisa.gov. 2022-09-08. Retrieved 2023-07-17.
  8. 1 2 3 "Vice Society ransomware 'persistent threat' to education sector | TechTarget". Security. Retrieved 2023-08-01.
  9. Newman, Lily Hay. "How Vice Society Got Away With a Global Ransomware Spree". Wired. ISSN   1059-1028 . Retrieved 2023-08-01.
  10. 1 2 Gumarin, J. R. (2022-12-06). "Vice Society: Profiling a Persistent Threat to the Education Sector". Unit 42. Retrieved 2023-08-01.
  11. "Vice Society Ransomware Group Targets Manufacturing Companies". Trend Micro. 2023-01-24. Retrieved 2023-08-01.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.