+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Vice Society: Opportunistic Ransomware Group

The threat group tracked as DEV-0832 by Microsoft’s security threat intelligence analysts, also known as Vice Society, are a group of cyber criminals that are thought to have been active since at least June 2021. They have been credited for ransomware and extortion campaigns across the world but have mainly focused on US-based targets. The most recent attacks have been against the education sector, including schools, but previous attacks have also been found where their victims were universities, local governments, and retail organisations. It is thought that their attacks against these various sectors were opportunistic, the group target organisations with weak security controls in financially motivated data encryption and exfiltration attacks with the end goal of a ransom pay-out.  

 

Vice Society use a range of ransomware payloads in their attacks, and are known for switching between them, in some cases even delivering two different payloads in one attack. This was observer in July 2022, where the group initially delivered QuantumLocker binaries, a known form of ransomware as a service (RaaS), but then 5 hours later deployed Zeppelin binaries as well. More recently in September 2022 they have been seen to use their own variant of the Zeppelin ransomware, which is tagged with the file extension .v-s0ciety, or .v-society, or a RedAlert variant with the file extension .locked 

 

However, Microsoft have observed that in some cases this threat group did not deliver any ransomware payloads, and instead solely exfiltrated data, with no encryption or denial of service on the victim’s device. This attack was based on extorting a ransom due to the victims not wanting the stolen data to be published online, which appears to be a growing successful attack platform for ransomware gangs. One of the concerns that security professionals have about this group is their cross-platform capabilities. Despite most of their attacks being observed in Windows environments, they also have Linux Encryptor capabilities for deployment on Linux ESXi servers. 

 

The Cybersecurity and Infrastructure Security Agency (CISA) released a joint security advisory with the FBI and MS-ISAC (Multi-State Information Sharing and Analysis Center) in September as a part of their #StopRansomware campaign, focusing on the activity of the Vice Society group. Their advice was targeted towards schools and educational institutions in the US based on the pattern of previous attacks by this threat group. In this it was revealed that the group tend to gain initial access to devices and networks through compromised credentials and known exploited vulnerabilities in internet-facing applications. Before deploying a ransomware payload, the attackers will explore the network environment, attempt escalation of privileges, and exfiltrate data. 

 

Most Vice Society attacks use a PowerShell script to perform activities, such as system discovery, system changes, defence evasion, persistence, data exfiltration, and delivering ransomware payloads. These scripts are staged on a domain controller giving them the authenticated access needed to deliver commands. Stolen credentials for valid accounts also provide this authentication for the attack. Credentials were often harvested through memory dumps, such as through access to the Local Security Authority Server Service (LSASS) dumps. These threat actors used comsvcs.dll to dump the LSASS process memory for access to credentials, and if domain admin level credentials were obtained, they then exfiltrated Active Directory data from a NTDS.dit file for later cracking. Escalation of privileges were also found by the attackers abusing security vulnerabilities such as CVE-2022-24521. This Windows Common Log File System vulnerability was seen abused by attackers in August, despite patches being available since April.  

 

After the attackers had suitable credentials, they perform lateral movement within the network using Remote Desktop Protocol (RDP), and interact with remote parts of the network using Server Message Block (SMB). This was where they would then stage the PowerShell scripts and payloads. Ransomware payloads were also sometimes delivered by legitimate tools, such as Power Admin, which also required the attackers to obtain credentials to make authorised changes. Advanced Port Scanner, Advanced IP Scanner, Windows Management Instrumentation (WMI), vssadmin, and PsExec are other legitimate tools this group are known to have abused in their attack process. On one occasion, Vice Society attempted to disable Antivirus on Microsoft Defender by using registry commands. 

 

Two main tools were used for backdoor access in post-compromised networks: SystemBC and PortStarter. When conducting an attack utilising SystemBC, they used credentials for a domain admin account and a contractor account, which they used to launch their PowerShell script. This triggered to launch of the remote access trojan (RAT), SystemBC, in a session value named “socks”. The other tool, PortStarter, is written in Go, and allows the attackers to modify the firewall settings, including opening ports, and connecting to their C2 (command and control) servers. These backdoors allowed the attackers to use “living off the land” techniques, abusing legitimate tools such as WMI in the process. SystemBC was also used for lateral movement within the network. 

 

Data exfiltration, mostly performed by PowerShell scripts, was executed through searches for target keywords. As the words were often non-specific such as targeting both financial and medical information, it is believed that each attack is not crafted for each victim, but instead one general script exists for targeting all potential victims. The script also contained hardcoded IP addresses that belong to Vice Society. File compression tools were also used in the data exfiltration process, as well as tools such as Rclone and MegaSync that allowed the attackers to upload the data to cloud storage locations. 

 

Steps should be taken by all organisations to mitigate ransomware attacks, as they can be damaging to reputation as well as having the possibility to cause financial and data loss. Keeping all systems and software up to date can protect your data, as attackers will often abuse unpatched systems, especially if details of the vulnerability are released at the time of the patch. Confirming that security configurations are tamper-proof is also a necessary defence to this form of attack. In the case of the attackers attempting to disable the Windows Defender Antivirus, enabling tamper protection would cause their commands to be unsuccessful. The range of targets globally by Vice Society emphasises a need to put cybersecurity first, especially in cases like this where the threat actors target organisations weak security controls for financial gain.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.