Vice Society’s ransomware playbook, queries for potential victims leaked
Dive Brief:
- Ransomware group Vice Society may use tactics seen across various threat actors, but its use of a wholly owned ransomware payload with branded extensions sets it apart, according to Microsoft research released Tuesday.
- The group’s consistent modifications to ransomware payloads and its use of multiple malware strains suggests it deploys different variants and techniques based on weaknesses found in targeted organizations.
- Vice Society, which first appeared in June 2021, has heavily targeted the education sector since July 2022 and has hit at least eight school systems this year, according to Emsisoft.
Dive Insight:
A joint Cybersecurity Advisory from federal authorities singled out Vice Society the same day the Los Angeles Unified School District went public with a ransomware attack initiated by the group. After the nation’s second-largest school system refused the group’s ransom demand, Vice Society leaked about 250,000 district files, including some containing personal and potentially damaging information on students and employees.
Microsoft released a detailed assessment of Vice Society’s mode of operation to help schools and other organizations detect and remediate potential intrusions.
“Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payment,” Microsoft Security researchers said in the blog.
Vice Society relies on tactics, techniques and procedures commonly used by other ransomware groups, including PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege and commodity backdoors.
The threat actor has used multiple commodity ransomware variants during the last year, including BlackCat, QuantumLocker and Zeppelin, but it most recently deployed a Vice Society-branded variant of Zeppelin ransomware, Microsoft said. This use of branded file extensions goes against the trend of many ransomware groups that now favor randomly generated variants.
Microsoft attributed multiple campaigns to Vice Society during the past year based on its use of a unique PowerShell file name.
In some cases, the group did not deploy a ransomware payload and instead appeared to exfiltrate data, dwell in compromised networks, and simply attempted to extort victims by threatening to release stolen data unless a payment is made, according to Microsoft.
Vice Society “goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom,” the researchers said.
Microsoft, in one case, observed the group access two domain administrator accounts and then reset user passwords for more than 150,000 users, locking out legitimate users and interrupting remediation efforts.
The Vice Society branded variant of the Zeppelin ransomware payload with .v-s0ciety or .v-society file extensions is unique, according to Microsoft.
“The shift from a ransomware as a service offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates [the threat actor] has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities,” Microsoft researchers wrote.
The group modified its ransomware payload again in late September 2022 to a variant dubbed RedAlert with a .locked file extension. These activities and other Microsoft observations suggest the threat actor maintains multiple ransomware payloads and switches according to targeted defenses.
Microsoft shared hunting queries that organizations can use to search for potential indicators of compromise and made some recommendations to help increase resilience against these attacks.
Gloss