That Threat Archive Vol 1: Vice Society
Welcome to the first edition of That Threat Archive series where each volume will cover a different threat actor group. In this volume we will be focusing on Vice Society which burst onto the ransomware scene in early 2021, attacking government offices, schools, hospitals and many other establishments.
My first exposure to this group was when I firsts started working in a SOC ( Security Ops Centre) having a Client who had been a Victim. So as this was my first exposure why not start with Vice society?
When researching this group it has that GTA Vice City feel and the group branding does indicate that they have this 80s persona or they just love GTA.
So as stated above Vice Society also known as DEV-0832 burst onto the ransomware scene in early 2021 using less technically sophisticated attacks than other threat actor groups and relied on tactics such as malware, exploits and techniques refined by others.
The group are financially motivated and focuses on organizations such as schools, and hospitals where there are weaker security controls and a higher likelihood of compromise and ransom pay-out. The group is to now believed in there early 30s and a podcast from recorded future explains a researcher who was able to interact with the group :
Some victims include:
- Los Angeles Unified School District — which is the second largest school district in the US
- The Austrian Medical University of Innsbruck
- The University of Duisburg
- Fire Rescue Victoria
As you can see from some of the victims they do not concentrate on one geographical location.
DEV-0832/ VICE SOCIETY TTPs
Vice Society have used single- and double-extortion ransomware (demanding payment to decrypt files and to not leak data they’ve exfiltrated). It’s also used non-ransomware extortion (demanding payment to not leak data they’ve exfiltrated).
The group have not been seen to have custom tooling the threat actor has been known to use tooling's such as uses Cobalt Strike, SystemBC, and various other commodity and publicly available tools to perform the post-exploitation activity.
THE KILL CHAIN
To gain access into their victims networks, Vice Society have been seen to use exploits for publicly disclosed vulnerabilities such as Windows Print Spooler (Print-Nightmare CVE-2021–1675) and Common Log File System(CVE-2022–24521). They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation (WMI) service.
Modus Operandi — TTP’
- Purchases legitimate Citrix NetScaler credentials from access brokers to gain initial access to victim networks
- Performs lateral movement via Remote Desktop Protocol (RDP)
- Uses PowerShell (PS) script to remove RDP-related artefacts
- Deploys Cobalt Strike and SystemBC to assist with post-exploitation activity
- Collects credentials by copying Ntds.dit, dumping LSASS, or performing a minidump of comsvcs.dll
- Exfiltrates victim data using publicly available applications such as AnonFiles and FileZilla
- Has used a PS script to automate data exfiltration
- Deploys Hive or Zeppelin ransomware on Windows systems
- Deploys DeathKitty Linux on ESXi systems
Indicators Of Compromise
MITRE ATT&CK MAPPING
Conclusion
Even through vice society might be the retro ransomware gang giving the persona of being in the 80s with a GTA Vice City feel. They are still a group to be feared they many use old techniques and appear to use others tools and TTPs but there still a threat to the education sector.
Even now reviewing the dark web or links such as red packet security we still see victims being hit.
Is Vice society good at what they do? or victims not have the resources or capability to deal with this? Another theory is the Senior leadership bat it off and take the profit only spending the money after a breach?. There are are many theories and are leave that thought with you however until someone speaks out or your in that situation VICE is going to keep doing what its doing.
All I will say is this
- Patch management is critical
- Maintain offline backups of data
- Implement a recovery plan
- Have strong passwords
- Train your users