When you think of "Vice Society," you might imagine an exclusive club where everyone sips cocktails and swaps scandalous secrets. Unfortunately, the reality is far less glamorous (and more illegal). Vice Society is a ransomware gang—think less glitz and glamour, more keyboards and crime—responsible for high-profile attacks on schools in 2024.
Unlike prominent groups like LockBit, which operate on a typical ransomware-as-a-service (RaaS) model, Vice Society stands out for its unique approach. They have been known to utilise modified versions, or forks, of pre-existing ransomware families. These tools are often purchased from Dark Web marketplaces, adding a layer of complexity to their attack methods.
In this article, we will explore who Vice Society is, their techniques, and how they pose a significant threat to organisations globally.
What is Vice Society?
Vice Society is a highly active ransomware group that emerged in early to mid-2021, known for its multi-pronged extortion tactics. This group targets both Windows and Linux-based systems, employing ransomware variants designed to breach diverse environments. In particular, their attacks frequently focus on ESXi servers and heavily virtualised infrastructures, making them a significant threat in these sectors.
Who Does Vice Society Ransomware Target?
The Vice Society ransomware group is notorious for targeting large enterprises, medium-sized businesses, and high-value organisations. Their victims often span critical industries, including government agencies, healthcare providers, and educational institutions, making them a significant threat to sectors handling sensitive data.
One of their key focuses is on virtualised environments, particularly systems running Linux variants, showcasing their technical sophistication.
The Vice Society ransomware attack strategy often begins with phishing and spear-phishing emails, exploiting unsuspecting victims. Additionally, they leverage third-party frameworks and exploit vulnerabilities such as the PrintNightmare vulnerability to infiltrate networks.
How does Vice Society Attack?
Once in their target environment, attackers heavily utilise COTS (commercial off-tlf) utilities and LOLBins to move as stealthily as possible. In recently analysed Windows samples, persistence is achieved via the Registry (RUN key). Additionally, an embedded .BAT file is dropped and executed by the ransomware to inhibit system recovery, including the removal of VSS and boot recovery options.
Infected victims are instructed to engage threat actors via email (specifically onion email addresses). Vice Society operations have generated or outsourced the development of ransomware variants based on Hive, Zeppelin, and HelloKitty (on Linux).
How to Mitigate Vice Society Ransomware’s Attacks?
Employees should be educated on the risks of ransomware and how to identify and avoid phishing emails, malicious attachments, and other cybersecurity threats. They should be encouraged to report suspicious emails or attachments and avoid opening them, or clicking on links or buttons in these emails. Ransomware prevention starts with user awareness and education on cyber threats.
Organisations should implement strong passwords for all user accounts, ensuring they are unique and regularly updated. Password security is crucial: passwords should be at least 8 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters to enhance security.
Organisations should enable multi-factor authentication (MFA) for all user accounts. This provides an additional layer of security by requiring more than just a password. MFA can be implemented through mobile apps, such as Google Authenticator or Microsoft Authenticator, or physical tokens or smart cards.
Organisations should also regularly update and patch systems to fix known vulnerabilities, preventing attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices and disabling unnecessary or unused services or protocols that could pose a security risk.
Implementing regular backup and disaster recovery (BDR) processes is essential. This ensures that organisations can quickly recover from a ransomware attack or other disasters. Regular backups of all data and systems should be created and stored in a secure, offsite location. These backups should be tested regularly to ensure they are functional and can be restored quickly.
