Joint CyberSecurity Advisory on Vice Society (AA22-249A)
Description
On September 6th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Vice Society ransomware group that has been active since the middle of 2021 and targets multiple industry sectors including education, healthcare, and government. The threat actor uses double extortion tactics, which victims are threatened for permanently losing encrypted files and leaking stolen data to the public should ransom payment is not made.
Why is this Significant?
This is significant because alleged Vice Society victims listed on the data leak site includes organizations in education, healthcare, and government sector, which are often exempted by other major ransomware groups. Of the last ten victims (as of September 7, 2022), more than half of them are in education and healthcare sectors.
Once the threat actor sets foot into the victim's network, it laterally moves around the network, exfiltrates valuable information, and deploys ransomware which encrypts files on the compromised machine. The stolen data will be made available to the public, which may cause damage to the reputation of the affected companies.
What is Vice Society Ransomware Group?
Vice Society is a ransomware group that has been active since at least the middle of 2021 and targets both Windows and Linux systems. What's unique about this ransomware group is that it deploys third-party ransomware to its victims instead of developing its own ransomware. Such ransomware reportedly includes HelloKitty, FiveHands and Zeppelin ransomware.
Below is a typical ransom note left behind by the Vice Society threat actor:
Top page of Vice Society leak site
- W32/Buran.H!tr.ransom
- W32/Filecoder.OJI!tr
- ELF/Filecoder.8BB5!tr.ransom
- W32/Generic.AC.171!tr
- MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation
Appendix
Alert (AA22-249A) #StopRansomware: Vice Society (CISA)
Microsoft PrintNightmare (Fortinet)
#PrintNightmare Zero DayRemote Code Execution Vulnerability (Fortinet)
CVE-2021-1675 (MITRE)
CVE-2021-34527 (MITRE)