A threat group Vice Society has been after the education sector, particularly in the US. The gang has started its blog, hinting they want to make it to the top of ransomware gangs by the end of 2022.
Contrary to what you would expect, this ransomware group doesn’t always deploy ransomware. On Tuesday, Microsoft released a blog post detailing Vice Society’s techniques, tactics, and procedures, saying that in some cases, the group prefers extortion, threatening to leak data unless their demands are met.
According to security researcher Dominic Alvieri, Vice Society has started its blog. They began by sharing “their favorite” article – “The Top 5 Ransomware and Malware Groups Making Strides this Year” by Brad Slavin, ranking Vice Society fifth on the list.
“Thank you, Brad Slavin, for your article! We are waiting for your new TOP list at the end of 2022,” a blog post reads.
The gang’s latest attacks have heavily impacted the education sector.
“Their previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout,” the blog post reads.
According to Microsoft, Vice Society exploit publicly known vulnerabilities, relies on tools such as PowerShell scripts, and repurposes legitimate tools.
Vice Society uses custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gain an initial foothold in compromised networks.
After deploying ransomware, the gang demands a ransom, threatening to leak the collected information on its site. Sometimes it simply exfiltrates data and dwells within compromised networks, hoping this would be enough to extort money from victims.
The gang has been observed deploying several ransomware payloads, including BlackCat, QuantumLocker, and Zeppelin.
“The group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or post-compromise incident response,” the blog reads.
More from Cybernews:
Subscribe to our newsletter