Vice Society A Threat Group of Opportunity
Category: Ransomware News | Industries: Construction, Education, Energy, Financial, Government, Healthcare, Insurance, Manufacturing, Media, Non-government organizations (NGOs), Professional Services, Retail, Technology, Telecommunications, Transportation | Level: Tactical | Source: Palo Alto Unit42
Palo Alto Unit42 released their research profiling the Vice Society ransomware group, most renowned for their attacks against the education industry. The first observation of the Vice Society's activity was traced to the summer of 2021. Although the group garnered attention from United States government agencies for their attacks against institutions in education, one of the largest was the Los Angeles Unified School District. The ransomware group should be viewed as a gang (like most others) targeting industries based on opportunity. Industries in education and healthcare are just two of the main verticals prone to the challenges of cybersecurity, specifically its implementation and staffing. Vice Society currently doesn’t deploy its own unique ransomware encryptor, rather the group uses existing ransomware strains such HelloKitty (aka FiveHands) and Zeppelin.
The exploitation of the PrintNightmare vulnerability, CVE-2021-34527 is a technique the operators have used since emerging in 2021. Unit42's timeline tracking of Vice Society’s activity identified spikes in their activity coinciding with unique calendar events for United States schools. "The school year for most educational institutions in the U.S. typically starts in late August-September and ends in June. They might have been trying to time their attacks in 2022 with the transitions of the beginning and end of the school year." In the United States was the most impacted education institutions are California with 9 cases, Texas with 4, Pennsylvania and Wisconsin following each with 3 cases. With at least 33 cases of education organizations victimized by Vice Society, they lead all other ransomware groups for attacks against this particular vertical. Lockbit and BlackCat ransomware groups each follow at 25 cases and 8 cases respectively for victims in the education industry.
Anvilogic Use Cases:
- Additional dll added to Spool Driver
- Rare dll called by Spoolsv.exe