Vice Society: Profiling a Persistent Threat to the Education Sector

Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.

REFERENCE: https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/

TAGS: vice society, hellokitty, onionmail, printnightmare, lockbit, zeppelin, psexec, wildfire, powershell, fivehands, final, bloodhound, systembc

ADVERSARY: Vice Society

INDUSTRIES: Education, Healthcare, Government, Manufacturing, Retail, Finance, Media, Energy, Telecommunications

TARGETED COUNTRIES: United States of America, United Kingdom of Great Britain and Northern Ireland, France, Spain, Brazil, Germany, Italy

MALWARE FAMILIES: HelloKitty, Zeppelin

ATT&CK IDS: T1003 - OS Credential Dumping, T1020 - Automated Exfiltration, T1021 - Remote Services, T1036 - Masquerading, T1041 - Exfiltration Over C2 Channel, T1046 - Network Service Scanning, T1047 - Windows Management Instrumentation, T1048 - Exfiltration Over Alternative Protocol, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1070 - Indicator Removal on Host, T1078 - Valid Accounts, T1080 - Taint Shared Content, T1112 - Modify Registry, T1190 - Exploit Public-Facing Application, T1219 - Remote Access Software, T1482 - Domain Trust Discovery, T1486 - Data Encrypted for Impact, T1497 - Virtualization/Sandbox Evasion, T1531 - Account Access Removal, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1562 - Impair Defenses, T1566 - Phishing, T1567 - Exfiltration Over Web Service, T1570 - Lateral Tool Transfer, T1574 - Hijack Execution Flow

Read More:

https://otx.alienvault.com/pulse/638f64f615fd94f02af0d0ac