All About Vice Society Ransomware

Updated on February 3, 2023

With a penchant for the susceptible education sector, Vice Society has been making headlines this year by hitting K-12 school districts, apart from healthcare and non-governmental organizations. As stated in an FBI advisory, cybersecurity experts expect it to ramp up its attacks throughout the latter half of 2022 and into 2023.

Being one of the most prolific ransomware groups in 2022, Vice Society ransomware quickly gained the interest of our cybersecurity analysts at Securin who took a deep dive into the secrets behind Vice Society.

In this blog:

 

Vice Society: A Brief History

It is believed that Vice Society, also tracked as DEV-0832, is a Russian-based group active since December 2020.

Vice Society, unlike other ransomware groups, is essentially a hacking group that first appeared in the news in August 2021 and has been associated with multiple intrusion, exfiltration and extortion attacks ever since.

The threat actors have a history of deploying multiple variants of ransomware, such as Hello Kitty or Five Hands, Zeppelin, and an in-house ransomware also called Vice Society. Since Vice Society and HelloKitty use similar naming extensions and tactics for their encrypted files–.kitty or .crypted–it is believed that there is a link between the two.

Vice Society Ransomware Threat Activity Mapping by CSW

Figure 1: Vice Society Ransomware Threat Activity

Vice Society Ransomware Cheat Sheet

Vice Society ransomware operators deploy a malicious Dynamic-link library (DLL) to exploit the two PrintNightmare flaws. They have also been observed to encrypt both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA).

Though Vice Society has also been tied to using VMware ESXi vulnerabilities, no CVE associations have been conclusively identified for the threat actor.

Vice Society Ransomware PrintNightmare Vulnerability Associations

Securin Releases Detection Script to Address the PrintNightmare Vulnerabilities

In July 2021, within a few days of active exploitation, Securin’s analysts developed a detection script for organizations to address the PrintNightmare vulnerabilities and secure their attack surfaces from further exploitation. Both PrintNightmare vulnerabilities were also added of the Department of Homeland Security’s CISA Known Exploited Vulnerabilities Catalog in November 2021.

Securin’s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust

With the help of Securin’s Vulnerability Intelligence platform, Securin experts predicted the likelihood of more attacks leveraging the two PrintNightmare vulnerabilities. Here is a deeper look into how they used predictive analytics to assess the possibilities of future attacks.

CVE-2021-34527

This CVE was tagged as extremely critical from the very beginning and also carries the highest predictive score of 38.46 on Securin’s Vulnerability Intelligence platform. The CVE is associated with four ransomware families, namely, Black Basta, Vice Society, Conti, and Magniber.

CVE-2021-34527 Securin Predictive Analysis

CVE-2021-1675

In contrast to CVE-2021-34527, this CVE did not receive Securin’s highest predictive score of 38.46 till February 2022, after becoming associated with multiple ransomware families such as Magniber, Vice Society and Conti.

CVE-2021-1675 Securin Predictive Analysis

Our analysts have been analyzing the PrintNightmare vulnerabilities since the first wild proofs of concept were discovered in June 2021. Here is a graph showing how Securin was able to predict the exploitability of the CVEs much prior to its association with ransomware groups:

CSW Predictions for PrintNightmare CVEs

History of Attacks by Vice Society Ransomware

The threat group’s most recent victim, the Cincinnati State Technical and Community College, comes in the wake of the attack on the second largest school district in the United States, the Los Angeles Unified School District (LAUSD), in June 2022, which brought the capabilities of the group to the limelight and initiated warnings from FBI, NSA and the Department of Homeland Security CISA.

Other high-profile education sector attacks include the Austrian Medical University of Innsbruck that fell prey to the group in June 2022, affecting IT systems and 3,200 students.

Here is a list of the other attacks carried out by Vice Society:

Targets

Month

Impact of the Attack

Cincinnati State Technical and Community College

November 2022

PII and documents stolen, IT disruption affecting 10,000 students and 1,000 staff

Austrian Medical University, Innsbruck

June 2022

IT disruption affecting 3,400 students

City of Palermo, Italy

June 2022

Large-scale services outage impacting 1.3 million people and tourists visiting the city

Los Angeles Unified School District (LAUSD)

May 2022

Los Angeles city and 31 municipalities hit by the cyberattack.  640,000 students PII affected. 500 GB data stolen

Optionis Group

February 2022

dumping of contractors’ data online, thousands of files dumped onto leak site

Spar supermarket

January 2022

took down card machines in 600 stores and forced some to close their doors

James Hall & Co

December 2021

93,000 stolen files were published by the gang

United Health Centers

September 2021

disrupted all of their locations and resulted in patient data theft

Barlow Respiratory Hospital

September 2021

affected several IT systems, network and electronic medical record system

Manhasset Union Free School District in Long Island

mid-2021

dumped the district’s data on their dark web leak site

Eskenazi Health

August 2021

electronic health record (EHR) downtime faced with extensive IT disruption

Town of Rolle, Switzerland

August 2021

administrative servers affected and sensitive documents exfiltrated

Linn-Mar School District

August 2021

IT system disruption

  Interesting Trends

  • New PowerShell data theft tool: 

    Vice Society ransomware operators were observed utilizing a PS script recovered from a Windows Event Log (WEL) with an Event ID 4104: Script Block Logging event. The exfiltrator uses ‘living off the land’ binaries and scripts that are therefore likely to avoid detection by security software, keeping the progress stealthy till the penultimate step when the ransomware is deployed and encryption begins.

  • Switching to a New Custom Encryptor:

Vice Society ransomware was observed using a custom ransomware encryption that uses a strong hybrid encryption algorithm that combines asymmetric encryption with the NTRUEncrypt scheme and symmetric encryption with ChaCha20-Poly1305. The new encryptor, dubbed ‘PolyVice’, has a lot of similarities in the code to that of Chilly ransomware and SunnyDay ransomware. It also gives Vice Society a unique attack signature, moving away from their usual ‘.ViceSociety’ extension, to ‘AllYFilesAE’.

Here is a short insight into how the encryption functions:

  • The payload imports a pre-generated 192-bit NTRUEncrypt public key upon launch.
  • Another random 112-bit NTRUEncrypt private key, unique to each victim, is generated by the payload.
  • The pair of keys is used for encrypting the ChaCha20-Poly1305 symmetric keys that are unique to each file.
  • The NTRU key pair is encrypted to protect it from attempts to retrieve stolen data.
  • Multiple Ransomware Strains Used: 

An interesting trend was observed recently by our cybersecurity experts, where the ransomware group was noticed swapping between multiple ransomware strains. Though not the first to be implementing multiple ransomware strains, the tactics are similar to two other groups—the Sandworm Team and TA505. Vice Society ransomware has been switching  between Zeppelin, BlackCat, QuantumLocker, and a Vice Society-branded variant of Zeppelin ransomware.

  • Skipping the Deployment Stage: 

In some attacks, the group has also skipped the ransomware deployment stage, opting for stealing data from the victims and extorting them and threatening to leak the stolen files online.

Scanner Coverage: Hiding in Plain Sight?

Common scanners such as Nessus, Qualys and others, were able to spot the PrintNightmare vulnerabilities leveraged by Vice Society ransomware. As a result, patching and ensuring that the organization’s attack surface is secure should be of foremost priority.

How does Vice Society Ransomware Attack?

All About Vice Society's Attack Methodology

 

Vice Society MITRE ATT&CK Map and Indicators of Compromise

Vice Society Ransomware MITRE Map

 

Indicators of Compromise

 MD5:

  • fb91e471cfa246beb9618e1689f1ae1d

 SHA1:

  • a0ee0761602470e24bcea5f403e8d1e8bfa29832

  • 3122ea585623531df2e860e7d0df0f25cce39b21

  • 41dc0ba220f30c70aea019de214eccd650bc6f37

  • c9c2b6a5b930392b98f132f5395d54947391cb79

 SHA256:

  • 6f191f598589b7708b1890d56b374b45c6eb41610d34f976f0b4cfde8d5731af

  • HelloKitty samples from end of 2021 (for Linux) with Vice Society ransom note:
    • 78efe6f5a34ba7579cfd8fc551274029920a9086cb713e859f60f97f591a7b04

    • 754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537

  • Recent samples (May 2022), using Zeppelin ransomware with the Vice Society ransom note. Some of these samples use Windows binary names.
    • 24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7

    • 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e

    • Ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75

    • Aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe

    • Bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d

 URL:

  • hxxp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion

 IP Addresses:

  • 5[.]255[.]99[.]59

  • 5[.]161[.]136[.]176

  • 198[.]252[.]98[.]184

  • 194[.]34[.]246[.]90

 Other Info:

  • v-society[.]official@onionmail[.]org

  • ViceSociety[@]onionmail[.]org

  • OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org

How can Securin Help Protect Your Organization Against Vice Society Ransomware Attacks?

The effect of ransomware attacks on colleges and K-12 schools in the US alone is an estimated $3.56 billion. With so many individuals at risk of data theft, improving cyber security for the future is the solution. Since the data is often unrecoverable, it is important for school districts to stay ahead of the attacker.

As highlighted in Securin’s Ransomware Spotlight Report 2022 Q2 and Q3, the total number of vulnerabilities tied to ransomware has risen to 323, clocking a 466% growth from 2019. Overall, 35 vulnerabilities have become associated with ransomware in 2022, with 159 key ransomware associated vulnerabilities trending as a point of interest for malicious actors. This emphasizes the need for periodic vulnerability management and patching to maintain good cyber hygiene.

Securin’s Attack Surface Management platform helps improve your organizational security posture through actionable insights by leveraging our excellent threat hunting expertise. Click here to learn more about Securin.

Worried about how susceptible your organization is to a ransomware attack?
Get a Ransomware Exposure Assessment done today! 

Click here to talk to us. 

 

Share This Post On