{"id":12101,"date":"2022-12-23T04:04:20","date_gmt":"2022-12-23T11:04:20","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12101"},"modified":"2023-04-19T04:03:05","modified_gmt":"2023-04-19T11:03:05","slug":"all-about-vice-society-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-vice-society-ransomware\/","title":{"rendered":"All About Vice Society Ransomware"},"content":{"rendered":"
With a penchant for the susceptible education sector, Vice Society has been making headlines this year by hitting K-12 school districts, apart from healthcare and non-governmental organizations. As stated in an FBI advisory<\/a>, cybersecurity experts expect it to ramp up its attacks throughout the latter half of 2022 and into 2023.<\/p>\n Being one of the most prolific ransomware groups in 2022, Vice Society ransomware quickly gained the interest of our cybersecurity analysts at Securin who took a deep dive into the secrets behind Vice Society.<\/p>\n Vice Society: A Brief History<\/a><\/p>\n<\/li>\n Vice Society Ransomware Cheat Sheet<\/a><\/p>\n<\/li>\n Securin\u2019s Detection Script for PrintNightmare Vulnerabilities<\/a><\/p>\n Securin\u2019s Predictive Insights of the PrintNightmare Vulnerabilities<\/a><\/p>\n CVE-2021-34527<\/a><\/p>\n<\/li>\n CVE-2021-1675<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n History of Attacks by Vice Society Ransomware<\/a><\/p>\n<\/li>\n Interesting Trends<\/a><\/p>\n Switching to a New Custom Encryptor<\/a><\/p>\n<\/li>\n Multiple Ransomware Strains Used<\/a><\/p>\n<\/li>\n Skipping the Deployment Stage<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n Scanner Coverage: Hiding in Plain Sight?<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n How does Vice Society Ransomware Attack?\u00a0<\/a><\/p>\n MITRE ATT&CK Map and Indicators of Compromise<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n What can organizations do to prevent a Vice Society attack?<\/a><\/p>\n<\/li>\n<\/ul>\n <\/p>\n It is believed that Vice Society, also tracked as DEV-0832, is a Russian-based group active since December 2020.<\/p>\n Vice Society, unlike other ransomware groups, is essentially a hacking group that first appeared in the news in August 2021 and has been associated with multiple intrusion, exfiltration and extortion attacks ever since.<\/p>\n The threat actors have a history of deploying multiple variants of ransomware, such as Hello Kitty or Five Hands, Zeppelin, and an in-house ransomware also called Vice Society. Since Vice Society and HelloKitty<\/a> use similar naming extensions and tactics for their encrypted files\u2013.kitty or .crypted\u2013it is believed that there is a link between the two.<\/p>\n <\/p>\n Figure 1:<\/strong> Vice Society Ransomware Threat Activity<\/p>\n Vice Society ransomware operators deploy a malicious Dynamic-link library (DLL) to exploit the two PrintNightmare<\/a> flaws. They have also been observed to encrypt both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA).<\/p>\n Though Vice Society has also been tied to using VMware ESXi vulnerabilities, no CVE associations have been conclusively identified for the threat actor.<\/p>\n <\/p>\n In July 2021, within a few days of active exploitation, Securin\u2019s analysts developed a detection script<\/a> for organizations to address the PrintNightmare vulnerabilities and secure their attack surfaces from further exploitation. Both PrintNightmare vulnerabilities were also added of the Department of Homeland Security’s CISA Known Exploited Vulnerabilities Catalog in November 2021.<\/p>\n With the help of Securin\u2019s Vulnerability Intelligence platform, Securin experts predicted the likelihood of more attacks leveraging the two PrintNightmare vulnerabilities. Here is a deeper look into how they used predictive analytics to assess the possibilities of future attacks.<\/p>\n <\/a>CVE-2021-34527<\/strong><\/p>\n This CVE was tagged as extremely critical from the very beginning and also carries the highest predictive score of 38.46 on Securin\u2019s Vulnerability Intelligence platform. The CVE is associated with four ransomware families, namely, Black Basta, Vice Society, Conti, and Magniber.<\/p>\n <\/p>\n <\/a>CVE-2021-1675<\/strong><\/p>\n In contrast to CVE-2021-34527, this CVE did not receive Securin\u2019s highest predictive score of 38.46 till February 2022, after becoming associated with multiple ransomware families such as Magniber, Vice Society and Conti.<\/p>\n <\/p>\n Our analysts have been analyzing the PrintNightmare vulnerabilities since the first wild proofs of concept were discovered in June 2021. Here is a graph showing how Securin was able to predict the exploitability of the CVEs much prior to its association with ransomware groups:<\/p>\n <\/p>\n The threat group\u2019s most recent victim, the Cincinnati State Technical and Community College, comes in the wake of the attack on the second largest school district in the United States, the Los Angeles Unified School District (LAUSD), in June 2022, which brought the capabilities of the group to the limelight and initiated warnings from FBI, NSA and the Department of Homeland Security CISA.<\/p>\n Other high-profile education sector attacks include the Austrian Medical University of Innsbruck that fell prey to the group in June 2022, affecting IT systems and 3,200 students.<\/p>\n Here is a list of the other attacks carried out by Vice Society:<\/p>\nIn this blog:<\/h3>\n
\n
\n
\n
\n
\n
<\/a>Vice Society: A Brief History<\/h3>\n
<\/a>Vice Society Ransomware Cheat Sheet<\/h3>\n
Securin<\/a>\u00a0Releases Detection Script to Address the PrintNightmare Vulnerabilities<\/h3>\n
<\/a>Securin\u2019s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust<\/h3>\n
<\/a>History of Attacks by Vice Society Ransomware<\/h3>\n