Vice Society: Who, What, Where, Why, How

Vice Society (aka DEV-0832) is a cybercriminal group that has hit hundreds of K-12 educational institutions with ransomware and extortion campaigns. It’s less technically sophisticated than many other threat groups, and relies on malware, exploits, and techniques developed by others.

Logo from Vice Society website, courtesy Tripwire

Who

Vice Society was first observed in June 2021. It hit targets in local government and retail before shifting focus to educational institutions in July 2022. These targets have been primarily K-12, and largely within the US. One victim was the Los Angeles Unified School District, the second-largest school district in the US. These attacks have become so numerous and high-profile that the FBI, CISA, and the MS-ISAC issued a joint advisory.

Another victim was the Austrian Medical University of Innsbruck.

Based on their use of the Russian language, it seems likely that Vice Society members are Russian.

Vice Society members are believed to be males in their 20s, which fits the design of their website, styled after the video game Grand Theft Auto.

What

Vice Society has used single- and double-extortion ransomware (demanding payment to decrypt files and to not leak data they’ve exfiltrated). It’s also used non-ransomware extortion (demanding payment to not leak data they’ve exfiltrated).

The group’s use of various malware and ransomware indicates that they have connections to other cybercriminal groups.

Vice Society has hit machines running Windows and Linux ESXi.

Where

Based on their use of the Russian language, it seems likely that Vice Society members are Russian.

Why

Because they demand payments for their ransomware and extortion attacks, it’s assumed that Vice Society is financially motivated.

Vice Society may target K-12 schools because they store or have access to large amounts of personal student and employee information, which can be used for extortion and/or identity theft.

Schools are particularly vulnerable because they often lack strong cybersecurity defenses. They’re often slow to patch, so vulnerabilities remain exploitable longer than in other organizations. Also, school networks are used by many people, and because so many people use the same credentials on school networks as for other accounts, Vice Society can use leaked credentials to access school networks.

Vice Society has said their strong suit is making the FBI and CISA scared, and making news.

How

To gain initial access into networks, Vice Society has used exploits for publicly disclosed vulnerabilities (such as Windows Print Spooler, aka PrintNightmare, and Common Log File System).

Once the group is in a network, it uses the following to evade detection, gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.

  • PowerShell scripts (often staged on a domain controller or network share)
  • Commodity tools (e.g., Advanced Port Scanner and Advanced IP Scanner)
  • Exploits for publicly disclosed vulnerabilities (e.g., Windows Print Spooler, aka PrintNightmare, and Common Log File System)
  • Commodity backdoors (e.g., SystemBC and PortStarter)
  • Native Windows tools (e.g., WMIC, Impacket’s WMIexec, vssadmin, and PsExec)

The Vice Society has used registry commands to attempt to disable Microsoft Defender. It has used Cobalt Strike and RDP for lateral movement. To maintain persistence, it has created scheduled tasks.

The group gathers local or domain admin credentials to maximize the number of network machines they can hit with ransomware. It has used comsvcs.dll and MiniDump to dump LSASS memory to retrieve account credentials. It has also accessed NTDS dumps to crack later. The group has also performed Kerberoast attacks using the PowerSploit module Invoke-Kerberoast to obtain service account credentials from AD DS.

Vice Society uses file compression tools to collect data from devices prior to exfiltration.

The group has used a variety of ransomware payloads, including HelloKitty/Five Hands, BlackCat, QuantumLocker, Zeppelin, and RedAlert.

After it deploys ransomware, Vice Society demands a ransom payment, and threatens to leak data on its .onion site.

The group doesn’t always use ransomware; sometimes it simply extorts, demanding payment to not leak data they’ve exfiltrated.

Vice Society has taken steps to make it more difficult for victims to recover, including resetting user passwords to prevent legitimate users from logging in.

Additional Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.