CISA #StopRansomware Advisory: Vice Society
Industry: Education | Level: Tactical | Source: CISA
The latest #StopRansomware advisory provided by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) shared technical details associated with Vice Society ransomware. School districts have been identified as Vice Society's most prominent attack target, and a heightened level of concern is raised as school sessions have resumed for the new academic year. "K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers." The ransomware malware used by the group is not unique, as Vice Society has deployed malware from Hello Kitty/Five Hands and Zeppelin ransomware. Initial access from the group is typically achieved through exploiting vulnerabilities in public-facing applications or compromised accounts. Living-off-the-land binaries (LOLBins) utilized by the group have included Windows Management Instrumentation (WMI), and network shares. Vice Society has also exploited PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to achieve privilege escalation. Persistence objectives are obtained through scheduled tasks, creating entries in the autorun registry, and DLL side-loading. To inhibit system recovery, the group operators have executed "scripts to change the passwords of victims’ network accounts to prevent the victim from remediating." Their operations have followed a double extortion model, leaking victim data when ransom demands aren't met.
Anvilogic Use Cases:
- Additional dll added to Spool Driver
- Rare Remote Thread
- WinRM Tools