Overview:
Vice Society is a prolific ransomware-as-a-service (RaaS) group notorious for its disproportionate targeting of the education sector, particularly K-12 institutions. Emerging in summer 2021, they have demonstrated a preference for opportunistic attacks, timed to coincide with the start and end of the US school year, exploiting vulnerabilities and compromised credentials to gain initial access. Unlike many RaaS groups that develop their own ransomware, Vice Society utilizes readily available strains like HelloKitty/FiveHands and Zeppelin, adapting them to their operations. Their attacks frequently involve double extortion, exfiltrating data before deploying ransomware and threatening to publish it publicly unless a ransom is paid; this data is often published on their Tor network leak site, which has undergone changes, including the addition of a blog and a “For Journalists” section. While their geographic origins remain unclear, their attacks have impacted organizations worldwide, with Unit 42 incident response data showing dwell times as long as six days and initial ransom demands exceeding $1 million, decreasing to as low as $460,000 after negotiations. They also target healthcare and non-governmental organizations (NGOs).
Known Aliases:
No aliases beyond “Vice Society” are publicly known.
Country of Origin:
The country of origin for Vice Society is currently unknown. Their attacks have a global reach, with victims across numerous countries.
Known High-Profile Attacks of Vice City Ransomware:
- Cincinnati State Technical and Community College (November 2022): PII and documents stolen, IT disruption affecting 10,000 students and 1,000 staff.
- Austrian Medical University, Innsbruck (June 2022): IT disruption affecting 3,400 students.
- City of Palermo, Italy (June 2022): Large-scale services outage impacting 1.3 million people and tourists.
- Los Angeles Unified School District (LAUSD) (May 2022): 640,000 students’ PII affected, 500 GB of data stolen. Also impacted Los Angeles city and 31 municipalities.
- Optionis Group (February 2022): Contractors’ data dumped online.
- Spar supermarket (January 2022): Card machines in 600 stores taken down, some stores closed.
- James Hall & Co (December 2021): 93,000 stolen files published.
- United Health Centers (September 2021): Disruption across locations, patient data theft.
- Barlow Respiratory Hospital (September 2021): IT systems, network, and electronic medical record system affected.
- Manhasset Union Free School District (mid-2021): Data dumped on the dark web leak site.
- Eskenazi Health (August 2021): EHR downtime and extensive IT disruption.
- Town of Rolle, Switzerland (August 2021): Administrative servers affected, sensitive documents exfiltrated.
- Linn-Mar School District (August 2021): IT system disruption.
MITRE ATT&CK Tactics and Techniques Used by Vice City Ransomware:
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| T1078 | Valid Accounts | |
| T1566 | Phishing | |
| Execution | T1047 | Windows Management Instrumentation |
| T1053 | Scheduled Task/Job | |
| T1059 | Command and Scripting Interpreter | |
| Persistence | T1543 | Modify System Process |
| T1547 | Registry Run Keys/Startup Folder | |
| T1574 | DLL Side-Loading | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1036 | Masquerading |
| T1055 | Process Injection | |
| T1497 | Sandbox Evasion | |
| T1070 | Indicator Removal on Host | |
| T1112 | Modify Registry | |
| T1562 | Impair Defenses | |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1046 | Network Service Discovery |
| T1482 | Domain Trust Discovery | |
| Lateral Movement | T1021 | Remote Services |
| T1080 | Taint Shared Content | |
| T1570 | Lateral Tool Transfer | |
| Exfiltration | TA0010 | Exfiltration |
| T1020 | Automated Exfiltration | |
| T1041 | Exfiltration Over C2 Channel | |
| T1048 | Exfiltration Over Alternative Protocol | |
| T1567 | Exfiltration Over Web Service | |
| Command and Control | T1219 | Remote Access Software |
| Impact | T1486 | Data Encrypted for Impact |
| T1531 | Account Access Removal |
Vice City Ransomware Methods of Attack/Infiltration:
Vice Society’s attacks typically begin with gaining initial access through various methods:
- Exploiting vulnerabilities: They actively exploit publicly known vulnerabilities, notably the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527).
- Compromised credentials: They leverage stolen or compromised credentials to access networks.
- Phishing: Phishing campaigns are used to deliver malicious payloads.
- Once inside, they use a range of techniques for lateral movement and data exfiltration, including the use of tools like SystemBC, PowerShell Empire, and Cobalt Strike.
- They also employ “living off the land” techniques, leveraging legitimate Windows tools like WMI to avoid detection.
- They aim to escalate privileges, often gaining domain administrator access.
Vice City Malware/Ransomware Strains:
Vice Society is known to deploy:
- HelloKitty/FiveHands ransomware: This was used in their early attacks and is notable for its AES-256 encryption and Linux variant. Encrypted files are appended with the extension “.v-society.”.
- Zeppelin ransomware: Another ransomware strain deployed by the group. Encrypted files are appended with the extension “A1A-A80-4CD”. A ransom note titled “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT” is left on the desktop.
