The Manufacturing Industry a Frequent Target of Vice Society
Category: Ransomware News | Industries: Education, Financial Services, Government, Healthcare, Insurance, Manufacturing, Media | Level: Tactical | Source: Trend Micro
The Vice Society ransomware gang made headlines for their attacks against academic institutions and healthcare organizations. While the vertical remains a top target for the cybercrime group, telemetry data from Trend Micro reveals the manufacturing industry has been a prominent target for Vice Society as well. As reported on their latest blog post "through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels. We have detected the presence of Vice Society in Brazil (primarily affecting the country’s manufacturing industry), Argentina, Switzerland, and Israel." Statistics of the industries impacted by Vice Society based on victims listed on the group's data leak site shows education leads with 51 entries followed by manufacturing at 32, healthcare at 22, government at 10, and financial services with 5.
Since November 2022, Vice Society has created and deployed its own ransomware encryptor, previously they used FiveHands, Zeppelin, and Hello Kitty ransomware variants. A Vice Society intrusion was observed on October 28th, 2022, with the ransomware deployment completed on November 12th, 2022. The arrival vector for the attack is assessed to be through the exploit of a public-facing application or through RDP access from compromised credentials. Tools used in the attack included Cobalt Strike, Rubeus, Mimikatz, Kape, and a PowerShell script to create an admin account. Following the account creation, several running processes were terminated to enable the ransomware encryptor to run without any hindrances. The ransomware cleared its tracks by clearing event logs, deleting RDP registry keys, and deleting the malware from the infected system.
- Credential Access/RDP Executes Script And Tampers w. Host Config
Anvilogic Use Cases:
- RDP Connection
- Mimikatz Execution
- Rubeus Commands