{"id":12101,"date":"2022-12-23T04:04:20","date_gmt":"2022-12-23T11:04:20","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12101"},"modified":"2023-04-19T04:03:05","modified_gmt":"2023-04-19T11:03:05","slug":"all-about-vice-society-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-vice-society-ransomware\/","title":{"rendered":"All About Vice Society Ransomware"},"content":{"rendered":"<p>With a penchant for the susceptible education sector, Vice Society has been making headlines this year by hitting K-12 school districts, apart from healthcare and non-governmental organizations. As stated in an<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-warns-of-vice-society-ransomware-attacks-on-school-districts\/\" target=\"_blank\" rel=\"noopener\"> FBI advisory<\/a>, cybersecurity experts expect it to ramp up its attacks throughout the latter half of 2022 and into 2023.<\/p>\n<p dir=\"ltr\">Being one of the most prolific ransomware groups in 2022, Vice Society ransomware quickly gained the interest of our cybersecurity analysts at Securin who took a deep dive into the secrets behind Vice Society.<\/p>\n<h3 dir=\"ltr\">In this blog:<\/h3>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Vice Society: A Brief History\">Vice Society: A Brief History<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Vice Society Ransomware Cheat Sheet\">Vice Society Ransomware Cheat Sheet<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#CSW Releases Detection scxxxript to Address the PrintNightmare Vulnerabilities\">Securin\u2019s Detection Script for PrintNightmare Vulnerabilities<\/a><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Securin\u2019s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust\">Securin\u2019s Predictive Insights of the PrintNightmare Vulnerabilities<\/a><\/p>\n<ul>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#CVE-2021-34527\">CVE-2021-34527<\/a><\/p>\n<\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#CVE-2021-1675\">CVE-2021-1675<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\" aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#History of Attacks by Vice Society Ransomware\">History of Attacks by Vice Society Ransomware<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Interesting Trends\">Interesting Trends<\/a><\/p>\n<ul>\n<li aria-level=\"2\"><a href=\"#New PowerShell data theft tool\">New PowerShell data theft tool<\/a><\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Switching to a new custom encryptor\">Switching to a New Custom Encryptor<\/a><\/p>\n<\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Multiple Ransomware Strains Used\">Multiple Ransomware Strains Used<\/a><\/p>\n<\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Skipping the Deployment Stage\">Skipping the Deployment Stage<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\" aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Scanner Coverage: Hiding in Plain Sight?\">Scanner Coverage: Hiding in Plain Sight?<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#How does Vice Society Ransomware Attack?\">How does Vice Society Ransomware Attack?\u00a0<\/a><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#Vice Society IOCs and MITRE Map\">MITRE ATT&amp;CK Map and Indicators of Compromise<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"#How can Securin Help Protect Your Organization Against Vice Society Ransomware Attacks?\">What can organizations do to prevent a Vice Society attack?<\/a><\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3 dir=\"ltr\"><a id=\"Vice Society: A Brief History\" name=\"Vice Society: A Brief History\"><\/a>Vice Society: A Brief History<\/h3>\n<p dir=\"ltr\">It is believed that Vice Society, also tracked as DEV-0832, is a Russian-based group active since December 2020.<\/p>\n<p dir=\"ltr\">Vice Society, unlike other ransomware groups, is essentially a hacking group that first appeared in the news in August 2021 and has been associated with multiple intrusion, exfiltration and extortion attacks ever since.<\/p>\n<p dir=\"ltr\">The threat actors have a history of deploying multiple variants of ransomware, such as Hello Kitty or Five Hands, Zeppelin, and an in-house ransomware also called Vice Society. Since Vice Society and <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/03\/hellokitty-when-cyberpunk-met-cy-purr-crime\" target=\"_blank\" rel=\"noopener\">HelloKitty<\/a> use similar naming extensions and tactics for their encrypted files\u2013.kitty or .crypted\u2013it is believed that there is a link between the two.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 100%; width: 100%;\" title=\"Chart\" src=\"https:\/\/lh3.googleusercontent.com\/VLN_WuLHxYPctmtprKsgqiKz0cCQLpkO8Ussy9o49d2yUjXdJ77CsGK8s0crEeNXMYEUFH8FSlp4_p1IbGvbfeNePK2YdrVYvalaATx7iQoMlEyeFAnHDAXMvkI63HwHA5K3vBlMP_Rt5gCOqnsftBbnzTRJwJ79S6B_alb6ZsEX2AiY17f25EQmX2GXhw\" alt=\"Vice Society Ransomware Threat Activity Mapping by CSW\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Figure 1:<\/strong> Vice Society Ransomware Threat Activity<\/p>\n<h3 dir=\"ltr\"><a id=\"Vice Society Ransomware Cheat Sheet\" name=\"Vice Society Ransomware Cheat Sheet\"><\/a>Vice Society Ransomware Cheat Sheet<\/h3>\n<p dir=\"ltr\">Vice Society ransomware operators deploy a malicious Dynamic-link library (DLL) to exploit the two <a href=\"https:\/\/cybersecurityworks.com\/blog\/vulnerabilities\/how-to-detect-cve-2021-34527.html\" target=\"_blank\" rel=\"noopener\">PrintNightmare<\/a> flaws. They have also been observed to encrypt both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA).<\/p>\n<p dir=\"ltr\">Though Vice Society has also been tied to using VMware ESXi vulnerabilities, no CVE associations have been conclusively identified for the threat actor.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 400px; height: 400px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/screenshot_20221223_162538-2.jpg\" alt=\"Vice Society Ransomware PrintNightmare Vulnerability Associations\" \/><\/p>\n<h3 dir=\"ltr\">Securin<a id=\"CSW Releases Detection scxxxript to Address the PrintNightmare Vulnerabilities\" name=\"CSW Releases Detection scxxxript to Address the PrintNightmare Vulnerabilities\"><\/a>\u00a0Releases Detection Script to Address the PrintNightmare Vulnerabilities<\/h3>\n<p dir=\"ltr\">In July 2021, within a few days of active exploitation, Securin\u2019s analysts developed a <a href=\"https:\/\/cybersecurityworks.com\/blog\/vulnerabilities\/how-to-detect-cve-2021-34527.html#scxxxript\" target=\"_blank\" rel=\"noopener\">detection script<\/a> for organizations to address the PrintNightmare vulnerabilities and secure their attack surfaces from further exploitation. Both PrintNightmare vulnerabilities were also added of the Department of Homeland Security&#8217;s CISA Known Exploited Vulnerabilities Catalog in November 2021.<\/p>\n<h3 dir=\"ltr\"><a id=\"Securin\u2019s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust\" name=\"Securin\u2019s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust\"><\/a>Securin\u2019s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust<\/h3>\n<p dir=\"ltr\">With the help of Securin\u2019s Vulnerability Intelligence platform, Securin experts predicted the likelihood of more attacks leveraging the two PrintNightmare vulnerabilities. Here is a deeper look into how they used predictive analytics to assess the possibilities of future attacks.<\/p>\n<p dir=\"ltr\"><a id=\"CVE-2021-34527\" name=\"CVE-2021-34527\"><\/a><strong>CVE-2021-34527<\/strong><\/p>\n<p dir=\"ltr\">This CVE was tagged as extremely critical from the very beginning and also carries the highest predictive score of 38.46 on Securin\u2019s Vulnerability Intelligence platform. The CVE is associated with four ransomware families, namely, Black Basta, Vice Society, Conti, and Magniber.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 277px; width: 800px;\" src=\"https:\/\/lh4.googleusercontent.com\/Arz1RMLDO2dqu6M2gOVpH3IOXxdIjXHCQJlFnS6zY0GZbZJ6VsAQq9veak0s5UCDfLS2MOFQt-z6xMBlfqMciSt5oIcCv6ZX-Snemh8s_GVpVzyW1te3ndmxcV3fZSJUqvJhcEQbKjTbxk_DE7kiZXEwl78tQ4xNnWLM2TQ-4RpnOwm_A2qQsTY-KB9QiQ\" alt=\"CVE-2021-34527 Securin Predictive Analysis\" \/><\/p>\n<p dir=\"ltr\"><a id=\"CVE-2021-1675\" name=\"CVE-2021-1675\"><\/a><strong>CVE-2021-1675<\/strong><\/p>\n<p dir=\"ltr\">In contrast to CVE-2021-34527, this CVE did not receive Securin\u2019s highest predictive score of 38.46 till February 2022, after becoming associated with multiple ransomware families such as Magniber, Vice Society and Conti.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 282px; width: 800px;\" src=\"https:\/\/lh4.googleusercontent.com\/pyA51IlyXrmHY9SrAo4K2Xmc61EPBgMK4BW-sm1dSAZxFa1Lq4gU5UD1OjyWh1Xirs5CV2K3YY70NQR5CcQn4hacY9_qRoBjDYGfDw619aqX0ctDp-VC7fF450xB7nULL8DBAUze-bb1oOKl_UlWnSGVuyY4ZakjBnzk_yKqC98hVOPT7GUY2h5uTQ_YNQ\" alt=\"CVE-2021-1675 Securin Predictive Analysis\" \/><\/p>\n<p dir=\"ltr\">Our analysts have been analyzing the PrintNightmare vulnerabilities since the first wild proofs of concept were discovered in June 2021. Here is a graph showing how Securin was able to predict the exploitability of the CVEs much prior to its association with ransomware groups:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"height: 100%; width: 100%;\" title=\"Chart\" src=\"https:\/\/lh6.googleusercontent.com\/R3jAe8cvRPGkX8I_u2fVZnLtFWwG3w-py_mF0RCCd1jd7K6NPZpOcDBosNn00FgRxALM73IUfT58p5u5s5BZs3b6xxGm2Lz816GFmwiqgAIVM859DEdyplIxt_ywyLwAj4IFYEa0UmmX4f9HBCkW2CUhfId7pKR_GY2e7URZ054v80TYf_8eei66aUtdJg\" alt=\"CSW Predictions for PrintNightmare CVEs\" \/><\/p>\n<h3 dir=\"ltr\"><a id=\"History of Attacks by Vice Society Ransomware\" name=\"History of Attacks by Vice Society Ransomware\"><\/a>History of Attacks by Vice Society Ransomware<\/h3>\n<p dir=\"ltr\">The threat group\u2019s most recent victim, the Cincinnati State Technical and Community College, comes in the wake of the attack on the second largest school district in the United States, the Los Angeles Unified School District (LAUSD), in June 2022, which brought the capabilities of the group to the limelight and initiated warnings from FBI, NSA and the Department of Homeland Security CISA.<\/p>\n<p dir=\"ltr\">Other high-profile education sector attacks include the Austrian Medical University of Innsbruck that fell prey to the group in June 2022, affecting IT systems and 3,200 students.<\/p>\n<p dir=\"ltr\">Here is a list of the other attacks carried out by Vice Society:<\/p>\n<table style=\"width: 700px;\" border=\"1\">\n<colgroup>\n<col \/>\n<col \/>\n<col \/> <\/colgroup>\n<tbody>\n<tr>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Targets<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Month<\/strong><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Impact of the Attack<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vice-society-ransomware-claims-attack-on-cincinnati-state-college\/\" target=\"_blank\" rel=\"noopener\">Cincinnati State Technical and Community College<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">November 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">PII and documents stolen, IT disruption affecting 10,000 students and 1,000 staff<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vice-society-claims-ransomware-attack-on-med-university-of-innsbruck\/\" target=\"_blank\" rel=\"noopener\">Austrian Medical University, Innsbruck<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">June 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">IT disruption affecting 3,400 students<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vice-society-ransomware-claims-attack-on-italian-city-of-palermo\/\" target=\"_blank\" rel=\"noopener\">City of Palermo, Italy<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">June 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Large-scale services outage impacting 1.3 million people and tourists visiting the city<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vice-society-claims-lausd-ransomware-attack-theft-of-500gb-of-data\/\" target=\"_blank\" rel=\"noopener\">Los Angeles Unified School District (LAUSD)<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">May 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">Los Angeles city and 31 municipalities hit by the cyberattack. \u00a0640,000 students PII affected. 500 GB data stolen<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.theregister.com\/2022\/02\/11\/optionis_stolen_data\/?&amp;web_view=true\" target=\"_blank\" rel=\"noopener\">Optionis Group<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">February 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">dumping of contractors&#8217; data online, thousands of files dumped onto leak site<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/techmonitor.ai\/technology\/cybersecurity\/vice-society-spar-hack-ransomware\" target=\"_blank\" rel=\"noopener\">Spar supermarket<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">January 2022<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">took down card machines in 600 stores and forced some to close their doors<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/siliconangle.com\/2021\/12\/30\/vice-society-hacks-norwegian-newspaper-takes-credit-spar-attack\/\" target=\"_blank\" rel=\"noopener\">James Hall &amp; Co<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">December 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">93,000 stolen files were published by the gang<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/united-health-centers-ransomware-attack-claimed-by-vice-society\/\" target=\"_blank\" rel=\"noopener\">United Health Centers<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">September 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">disrupted all of their locations and resulted in patient data theft<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.hipaajournal.com\/ransomware-gangs-attack-missouri-delta-medical-center-and-barlow-respiratory-hospital\/?web_view=true\" target=\"_blank\" rel=\"noopener\">Barlow Respiratory Hospital<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">September 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">affected several IT systems, network and electronic medical record system<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.databreaches.net\/update-student-and-personnel-files-from-manhasset-union-free-school-district-appear-on-the-dark-web\/\" target=\"_blank\" rel=\"noopener\">Manhasset Union Free School District in Long Island<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">mid-2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">dumped the district\u2019s data on their dark web leak site<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.scmagazine.com\/analysis\/breach\/eskenazi-health-confirms-patient-data-stolen-prior-to-ransomware-ehr-downtime?&amp;web_view=true\" target=\"_blank\" rel=\"noopener\">Eskenazi Health<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">August 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">electronic health record (EHR) downtime faced with extensive IT disruption<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/securityaffairs.co\/wordpress\/121470\/cyber-crime\/swiss-town-rolle-ransomware.html?web_view=true\" target=\"_blank\" rel=\"noopener\">Town of Rolle, Switzerland<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">August 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">administrative servers affected and sensitive documents exfiltrated<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><a href=\"https:\/\/www.wowt.com\/2022\/08\/03\/leaked-image-shows-ransomware-attack-hit-linn-mar-school-district\/\" target=\"_blank\" rel=\"noopener\">Linn-Mar School District<\/a><\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">August 2021<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\">IT system disruption<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 dir=\"ltr\">\u00a0\u00a0<a id=\"Interesting Trends\" name=\"Interesting Trends\"><\/a>Interesting Trends<\/h3>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\"><strong><strong>New PowerShell data theft tool:<\/strong><\/strong>&nbsp;\n<p>Vice Society ransomware operators were observed utilizing a PS script recovered from a Windows Event Log (WEL) with an Event ID 4104: Script Block Logging event. The exfiltrator uses &#8216;living off the land&#8217; binaries and scripts that are therefore likely to avoid detection by security software, keeping the progress stealthy till the penultimate step when the ransomware is deployed and encryption begins.<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><strong><a id=\"Switching to a new custom encryptor\" name=\"Switching to a new custom encryptor\"><\/a>Switching to a New Custom Encryptor:<\/strong><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" style=\"margin-left: 40px;\">Vice Society ransomware was observed using a custom ransomware encryption that uses a strong hybrid encryption algorithm that combines asymmetric encryption with the NTRUEncrypt scheme and symmetric encryption with ChaCha20-Poly1305. The new encryptor, dubbed \u2018PolyVice\u2019, has a lot of similarities in the code to that of Chilly ransomware and SunnyDay ransomware. It also gives Vice Society a unique attack signature, moving away from their usual \u2018.ViceSociety\u2019 extension, to \u2018AllYFilesAE\u2019.<\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\">Here is a short insight into how the encryption functions:<\/p>\n<ul>\n<li style=\"margin-left: 40px;\" role=\"presentation\">The payload imports a pre-generated 192-bit NTRUEncrypt public key upon launch.<\/li>\n<li style=\"margin-left: 40px;\" role=\"presentation\">Another random 112-bit NTRUEncrypt private key, unique to each victim, is generated by the payload.<\/li>\n<li style=\"margin-left: 40px;\" role=\"presentation\">The pair of keys is used for encrypting the ChaCha20-Poly1305 symmetric keys that are unique to each file.<\/li>\n<li style=\"margin-left: 40px;\" role=\"presentation\">The NTRU key pair is encrypted to protect it from attempts to retrieve stolen data.<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><strong><a id=\"Multiple Ransomware Strains Used\" name=\"Multiple Ransomware Strains Used\"><\/a>Multiple Ransomware Strains Used:\u00a0<\/strong><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" style=\"margin-left: 40px;\">An interesting trend was observed recently by our cybersecurity experts, where the ransomware group was noticed swapping between multiple ransomware strains. Though not the first to be implementing multiple ransomware strains, the tactics are similar to two other groups\u2014the Sandworm Team and TA505. Vice Society ransomware has been switching \u00a0between Zeppelin, BlackCat, QuantumLocker, and a Vice Society-branded variant of Zeppelin ransomware.<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><strong><a id=\"Skipping the Deployment Stage\" name=\"Skipping the Deployment Stage\"><\/a>Skipping the Deployment Stage:\u00a0<\/strong><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" style=\"margin-left: 40px;\">In some attacks, the group has also skipped the ransomware deployment stage, opting for stealing data from the victims and extorting them and threatening to leak the stolen files online.<\/p>\n<h3 dir=\"ltr\"><a id=\"Scanner Coverage: Hiding in Plain Sight?\" name=\"Scanner Coverage: Hiding in Plain Sight?\"><\/a>Scanner Coverage: Hiding in Plain Sight?<\/h3>\n<p>Common scanners such as Nessus, Qualys and others, were able to spot the PrintNightmare vulnerabilities leveraged by Vice Society ransomware. As a result, patching and ensuring that the organization\u2019s attack surface is secure\u00a0should be of foremost priority.<\/p>\n<h3><a id=\"How does Vice Society Ransomware Attack?\" name=\"How does Vice Society Ransomware Attack?\"><\/a>How does Vice Society Ransomware Attack?<\/h3>\n<p><img decoding=\"async\" style=\"width: 700px; height: 696px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/all-about-vice-society-ransomware-2.png\" alt=\"All About Vice Society's Attack Methodology\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3 dir=\"ltr\"><a id=\"Vice Society IOCs and MITRE Map\" name=\"Vice Society IOCs and MITRE Map\"><\/a>Vice Society MITRE ATT&amp;CK Map and Indicators of Compromise<\/h3>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 100%; height: 100%;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/all-about-vice-society-ransomware-1.png\" alt=\"Vice Society Ransomware MITRE Map\" \/><\/p>\n<p>&nbsp;<\/p>\n<table style=\"width: 600px;\" border=\"1\">\n<colgroup>\n<col \/> <\/colgroup>\n<tbody>\n<tr>\n<td>\n<p dir=\"ltr\" style=\"text-align: center;\"><b id=\"docs-internal-guid-9d639486-7fff-f522-23d6-c33f55e16438\">Indicators of C<\/b><strong>ompromise<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\">\u00a0MD5:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">fb91e471cfa246beb9618e1689f1ae1d<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0SHA1:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">a0ee0761602470e24bcea5f403e8d1e8bfa29832<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">3122ea585623531df2e860e7d0df0f25cce39b21<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">41dc0ba220f30c70aea019de214eccd650bc6f37<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">c9c2b6a5b930392b98f132f5395d54947391cb79<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0SHA256:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">6f191f598589b7708b1890d56b374b45c6eb41610d34f976f0b4cfde8d5731af<\/p>\n<\/li>\n<li>HelloKitty samples from end of 2021 (for Linux) with Vice Society ransom note:\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">78efe6f5a34ba7579cfd8fc551274029920a9086cb713e859f60f97f591a7b04<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>Recent samples (May 2022), using Zeppelin ransomware with the Vice Society ransom note. Some of these samples use Windows binary names.\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0URL:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">hxxp:\/\/vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0IP Addresses:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">5[.]255[.]99[.]59<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">5[.]161[.]136[.]176<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">198[.]252[.]98[.]184<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">194[.]34[.]246[.]90<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">\u00a0Other Info:<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">v-society[.]official@onionmail[.]org<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">ViceSociety[@]onionmail[.]org<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org<\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 dir=\"ltr\"><a name=\"How can Securin Help Protect Your Organization Against Vice Society Ransomware Attacks?\"><\/a>How can Securin Help Protect Your Organization Against Vice Society Ransomware Attacks?<\/h3>\n<p dir=\"ltr\">The effect of ransomware attacks on colleges and <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/we-need-cyber-safety-for-our-schools.html\" target=\"_blank\" rel=\"noopener\">K-12 schools<\/a> in the US alone is an estimated $3.56 billion. With so many individuals at risk of data theft, improving cyber security for the future is the solution. Since the data is often unrecoverable, it is important for school districts to stay ahead of the attacker.<\/p>\n<p dir=\"ltr\">As highlighted in <a href=\"https:\/\/cybersecurityworks.com\/resources\/whitepapers\/ransomware-index-update-q2-q3-2022.html\" target=\"_blank\" rel=\"noopener\">Securin\u2019s Ransomware Spotlight Report 2022 Q2 and Q3<\/a>, the total number of vulnerabilities tied to ransomware has risen to 323, clocking a 466% growth from 2019. Overall, 35 vulnerabilities have become associated with ransomware in 2022, with 159 key ransomware associated vulnerabilities trending as a point of interest for malicious actors. This emphasizes the need for periodic vulnerability management and patching to maintain good cyber hygiene.<\/p>\n<p dir=\"ltr\"><strong>Securin\u2019s Attack Surface Management platform helps improve your organizational security posture through actionable insights by leveraging our excellent threat hunting expertise. <a href=\"https:\/\/securin.io\/\" target=\"_blank\" rel=\"noopener\">Click here<\/a>\u00a0to learn more about Securin.<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>Worried about how susceptible your organization is to a ransomware attack?<br \/>\nGet a Ransomware Exposure Assessment done today!\u00a0<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong><a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Click here<\/a> to talk to us.\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vice Society has been observed employing ransomware variants, similar to the Russian Sandworm Team and TA505 threat actors.<\/p>\n","protected":false},"author":1,"featured_media":12102,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,117],"tags":[623,89,118,125,122,91,301],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12101"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=12101"}],"version-history":[{"count":11,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12101\/revisions"}],"predecessor-version":[{"id":17820,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/12101\/revisions\/17820"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/12102"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=12101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=12101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=12101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}