Vice Society Hackers Are Behind Several Ransomware Attacks Against Education Sector

A cybercrime group known as Vice Society has
been linked to multiple ransomware strains in its malicious
campaigns aimed at the education, government, and retail
sectors.

The Microsoft Security Threat Intelligence team, which is
tracking the threat cluster under the moniker DEV-0832, said the
group avoids deploying ransomware in some cases and rather likely
carries out extortion using exfiltrated stolen data.

“Shifting ransomware payloads over time from BlackCat^[1], Quantum Locker^[2], and Zeppelin^[3], DEV-0832’s latest
payload is a Zeppelin variant that includes Vice Society-specific
file extensions, such as .v-s0ciety, .v-society, and, most
recently, .locked,” the tech giant’s cybersecurity division
said^[4].

Vice Society, active since June 2021, has been steadily observed
encrypting and exfiltrating victim data, and threatening companies
with exposure of siphoned information to pressure them into paying
a ransom.

“Unlike other RaaS (Ransomware-as-a-Service) double extortion
groups, Vice Society focuses on getting into the victim system to
deploy ransomware binaries sold on Dark web forums,” cybersecurity
company SEKOIA said^[5]
in an analysis of the group in July 2022.

The financially motivated threat actor is known to rely on
exploits for publicly disclosed vulnerabilities in internet-facing
applications for initial access, while also using PowerShell
scripts, repurposed legitimate tools, and commodity backdoors such
as SystemBC^[6]
prior to deploying the ransomware.

Vice Society actors have also been spotted leveraging Cobalt
Strike for lateral movement, in addition to creating scheduled
tasks for persistence and abusing vulnerabilities in Windows Print
Spooler (aka PrintNightmare^[7]) and Common Log File
System (CVE-2022-24521^[8]) to escalate
privileges.

“Vice Society actors attempt to evade detection through
masquerading their malware and tools as legitimate files, using
process injection, and likely use evasion techniques to defeat
automated dynamic analysis,” the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) said^[9]
last month.

In one July 2022 incident disclosed by Microsoft, the threat
actor is said to have attempted to initially deploy QuantumLocker
executables, only to follow it up with suspected Zeppelin
ransomware binaries five hours later.

“Such an incident might suggest that DEV-0832 maintains multiple
ransomware payloads and switches depending on target defenses or,
alternatively, that dispersed operators working under the DEV-0832
umbrella might maintain their own preferred ransomware payloads for
distribution,” Redmond noted.

Among other tools utilized by DEV-0832 is a Go-based backdoor
called PortStarter that offers the capability to alter firewall
settings and open ports to establish connections with
pre-configured command-and-control (C2) servers.

Vice Society, aside from taking advantage of living-off-the-land
binaries (LOLBins) to run malicious code, has also been found
attempting to turn off Microsoft Defender Antivirus using registry
commands.

Data exfiltration is eventually achieved by launching a
PowerShell script that transmits wide-ranging sensitive
information, ranging from financial documents to medical data, to a
hard-coded attacker-owned IP address.

Redmond further pointed out that the cybercrime group focuses on
organizations with weaker security controls and a higher likelihood
of a ransom payout, underscoring the need to apply necessary safeguards^[10] to prevent such
attacks.

“The shift from a ransomware as a service (RaaS) offering
(BlackCat) to a purchased wholly-owned malware offering (Zeppelin)
and a custom Vice Society variant indicates DEV-0832 has active
ties in the cybercriminal economy and has been testing ransomware
payload efficacy or post-ransomware extortion opportunities,”
Microsoft said.