Microsoft is sounding the alarm on Vice Society, a ransomware group that is heavily targeting the education sector and preying upon organizations that have weak security controls and a higher likelihood of compromise and ransom payout.
The ransomware group was detailed in an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and other agencies last month, and Microsoft renews those warnings in a new blog detailing the group’s activities, techniques and behaviors. That advisory came Sept. 6, so Microsoft’s renewed warning indicates that the group is still very active.
Vice Society appears to be financially motivated and targets organizations with weak security controls that can be forced to pay the ransom, and education and local government fit that bill. However, Microsoft notes that the ransomware group has also targeted retail.
According to a Microsoft security blog, Vice Society uses tactics, techniques and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like SystemBC.
The group exploits vulnerabilities in internet-facing applications and compromising credentials and escalates privileges with other bugs such as PrintNightmare.
Like other ransomware campaigns, Vice Society threatens to leak stolen data if a ransom is not paid. In some cases, the group simply extorts data and doesn’t even deploy ransomware, according to Microsoft.
To prevent recovery and skirting ransom demands, Vice Society goes to great lengths including accessing user domain passwords and resetting user passwords. In one case, the group reset over 150,000 user passwords and locked out legitimate users before deploying ransomware.
Vice Society deploys multiple commodity ransomware variants, but has recently deployed a Vice Society-branded variant of the Zeppelin ransomware.
In addition to commodity tools such as SystemBC and PortStarter, the group uses legitimate tools such as Power Admin, Windows Management Instrumentation Command-line, RDP, Impacket’s WMIexec, vssadmin, and PsExec.
The ransomware group follows many typical threat actor actions, such as gathering valid administrator local or domain credentials for widespread ransomware deployment and harvesting credentials.
Read the Microsoft blog for CISA advisory for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply