Vice Society

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. The group emerged in the summer of 2021 and is believed to be Russian-speaking. Vice Society uses double extorsion and does not operate a ransomware as a service model.

They have attacked targets in both Europe and the United States, including a major compromise of the Los Angeles Unified School District.

Description
The group emerged in the summer of 2021. It has disproportionately targeted the education sector. Research from cybersecurity firm Palo Alto Networks found that Vice Society had listed 33 schools on its data leak site in 2022 alone. Experts categorize Vice Society as a "second- or third-tier" ransomware group in terms of sophistication. However, its prolific attacks on lesser-known schools and regional hospitals have allowed Vice Society to fly under the radar.

Vice Society engages in double extortion, stealing data for leverage in ransom negotiations. They threaten to publish exfiltrated data on dedicated leak sites if ransom demands are not met. Initial ransom demands have exceeded US$1 million, with final negotiated amounts around US$460,000. The group is known to negotiate ransoms down from initial multimillion dollar demands.

Unlike many ransomware groups, Vice Society does not operate using a ransomware as a service model with affiliate hackers. Instead, the group conducts its own intrusions and deployments. This allows Vice Society to quickly move through target networks, with dwell times as short as 6 days before detection.

The group gained significant attention in late 2022 and early 2023 due to a series of high-profile attacks, including one targeting the rapid transit system in San Francisco.

Tactics and techniques
According to the U.S. Cybersecurity and Infrastructure Security Agency, Vice Society have not developed their own in-house attack tools, instead using the Hello Kitty/Five Hands and Zeppelin ransomware toolkits. More recently, the group has developed its own custom ransomware builder and implemented stronger encryption methods.

Vice Society threat actors have exploited vulnerabilities such as PrintNightmare (CVE-2021-1675, CVE-2021-34527) to gain initial access to target networks.

The group primarily gains initial network access by exploiting internet-facing applications through compromised credentials. Prior to deploying ransomware, Vice Society actors spend time exploring the network, seeking opportunities to increase access and exfiltrating data for double extortion purposes. To move laterally, they employ various tools such as SystemBC, PowerShell Empire, and Cobalt Strike. Moreover, the group uses techniques like targeting the legitimate Windows Management Instrumentation service and tainting shared content. They have also been observed exploiting the PrintNightmare vulnerability to escalate privileges. To maintain persistence, Vice Society uses scheduled tasks, undocumented autostart Registry keys, and DLL side-loading. In an effort to evade detection, the actors disguise their malware and tools as legitimate files, employ process injection, and likely use evasion techniques against automated dynamic analysis. Additionally, Vice Society actors have been known to escalate privileges, gain access to domain administrator accounts, and change victims' network account passwords to impede remediation efforts.

An analysis of Vice Society's tactics showed the use of tools like Cobalt Strike and Mimikatz to escalate privileges and move laterally within a network. The group disables antivirus software and deletes system logs to evade detection. Encrypted files are appended with the ".v1cesO0ciety" extension and a ransom note is displayed.