Vice Society Wielding Multiple Strains of RansomwareFrom BlackCat to Quantum Locker to Hello Kitty, Gang Likely Picks Best Tool for Job
The Russian-language ransomware gang Vice Society, living up to its name, continues to test new strategies to take down more victims and boost its illicit profits.
If those bona fides aren't wicked enough, the group has a predilection for hitting schools and threatening to dump stolen student data on its dedicated data leak site.
Vice Society has been "disproportionately targeting the education sector with ransomware attacks," a recent U.S. government cybersecurity alert warns, predicting that the group's attacks against schools and their managed service providers will increase this year.
Over the Labor Day weekend, the Los Angeles Unified School District confirmed that it had fallen victim to a ransomware attack launched by the group.
Other recent victims claimed by the gang - these claims couldn't be confirmed - include a French gynecology-obstetrics hospital, a Pennsylvania school district, a number of schools in England, a college in Australia and a Greek steelworks.
The group appears to wield a constantly changing array of tools, including ransomware variants. "Vice Society actors do not use a ransomware variant of unique origin," according to the joint alert from the FBI, the Cybersecurity Infrastructure and Security Agency, and the Multi-State Information Sharing and Analysis Center.
Vice Society has worked with the Quantum Locker and BlackCat ransomware-as-a-service operations, researchers at Microsoft say in a new report.
RaaS operations provide affiliates with crypto-locking malware in exchange for a cut of every ransom paid, and the operator typically keeps 30%.
Lately, Vice Society appears to have been buying its crypto-locking malware outright, or perhaps customizing freely available options. "The actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future," the U.S. government alert says.
Zeppelin is off-the-shelf malware, while the Hello Kitty source code is publicly available for free.
The shift away from working with RaaS groups is part of a bigger trend. "As large RaaS brand affiliation becomes less of an asset to ransomware affiliates - due to the focus of law enforcement - ransomware affiliates are becoming very fluid in their movement and sampling of different RaaS kits, or even developing their own kits based on leaked ransomware source code, such as Hello Kitty's source code or even Conti's leaked source code," ransomware incident response firm Coveware reported in May.
Vice Society is no exception, and it has also been developing and using a ransomware variant of its own devising, reports Microsoft, which refers to the gang as DEV-0832.
It's possible the group "maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution," Microsoft says.
Constantly changing its approach, late last month the group "again modified their ransomware payload to a variant dubbed RedAlert, using a
.locked file extension." RedAlert is cross-platform ransomware that was first spotted in July and designed to work across both Windows and Linux. It's not clear if the malware is sold as a commodity, provided as a service, or both, although RedAlert does maintain its own data leak site.
Like other ransomware groups over the past year, Vice Society has also been experimenting with attacks in which they just threaten to leak stolen data, rather than first encrypting systems, researchers say (see: Ransomware Attackers Eying 'Pure Data Leakage Model').
One secret to ransomware groups' success in recent years - as measured by illicit profits - remains the robust cybercrime-as-a-service ecosystem. From RaaS offerings and initial access brokers to commodity malware providers and outsourced markets for selling stolen data, numerous tools and services exist to help criminals wield and profit from ransomware.
Another factor in ransomware groups' favor continues to be the lackluster cybersecurity hygiene of many of their victims. Experts warn that Vice Society continues to successfully target known vulnerabilities for which patches are available, including the Windows Common Log File System logical-error vulnerability patched in April and PrintNightmare, aka CVE-2022-24521, which was patched in July.