US Education Sector Attacked by Vice Society Ransomware
Researchers from Microsoft Released an Advisory Sharing their Findings on the Group’s Activity.
The US has recently been confronted with a threat actor named ‘Vice Society’, which has been using ransomware and extortion to attack the education sector around the world, with a focus on the United States.
Researchers from Microsoft’s security team released an advisory on Vice Society, which the company has been tracking as DEV-0832, on Tuesday, detailing their findings.
Shifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.
DEV-0832, Focused on the Education Sector
Between July and October 2022, DEV-0832’s most recent opportunistic attacks had a big effect on the education sector. However, the company states that Vice Society has been operating since June of last year and its previous attacks hit a wide range of industries, including local government and retail.
The security researchers have concluded that the gang is financially motivated, as evidenced by its rotating targets, and by the fact that it continues to go after businesses with less robust security, a higher risk of compromise and an eventual ransom payout.
DEV-0832 uses “tactics, strategies, and procedures” that are “similar among other ransomware actors” before it deploys ransomware, according to the advisory.
As explained by Info Security, a few examples are the use of PowerShell scripts combined with repurposed legitimate utilities, the exploitation of publicly reported vulnerabilities to gain initial access and elevate privileges, and the deployment of commodity backdoors like SystemBC.
Ransomware has evolved into a complex threat that’s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations.
The advisory also offers information about the strategies used in the group’s campaigns. It also contains hunting queries to assist clients in searching their environments for crucial indicators, protection, and assistance against similar assaults.
Info Security also points that this technical article was published weeks after Check Point’s 2022 Mid-Year Report, which revealed a worrying 44% increase in cyberattacks on the global education sector compared to 2021.
If you are interested in learning more about the most dangerous ransomware groups in 2022, check out this list prepared my colleague Antonia.