Friday, December 6, 2024
HomeCyber AttackVice Society Ransomware Gang Attack Schools with Multiple Ransomware Families

Vice Society Ransomware Gang Attack Schools with Multiple Ransomware Families

Published on

SIEM as a Service

According to a joint Cybersecurity Advisory (CSA) from the FBI, CISA, and MS-ISAC published in September 2022, Vice Society actors have recently been primarily targeting the education sector with ransomware assaults.

As the 2022–23 school gets started and malicious ransomware groups see prospects for successful operations, the CSA continued to predict an increase in attacks.

Vice Society Ransomware Gang Targeting Schools 

Vice Society is notorious for targeting the education sector – K-12 and higher education institutions in particular (as referenced in the recent CISA Advisory).

- Advertisement - SIEM as a Service

Experts say ‘Vice Society’ is known for using forks of pre-existing ransomware families in their attack chain that are offered for sale on DarkWeb marketplaces.

Initially, it was noted that their attack chain included an exploit for the CVE-2021-34527 (also known as PrintNightmare) vulnerability.

“The gang is also known to target backups and exfiltrate data from compromised systems to be leveraged for the purpose of double extortion, a common ransomware operation tactic where victims are pressured to pay a specified ransom amount in exchange for decryption and to avoid having sensitive data published on the attacker’s dedicated leak site”, reports Palo Alto Networks.

Vice Society Employed Numerous Distinct Ransomware Strains

  • Vice Society infected victims with the HelloKitty virus in June 2021.
  • Vice Society employed Zeppelin to attack Windows hosts in 2021 and 2022.
  • These attackers used vulnerabilities like PrintNightmare during their 2021 attacks to escalate privileges and expand laterally across targeted networks.

Since educational institutions are the group’s main target, this can be a sign that they’re coordinating their activities with this industry’s particular calendar year. Other targeted sectors include healthcare and nongovernmental organizations (NGOs).

Researchers say the overall attack surface expanded since many organizations use outdated hardware that hasn’t been patched against the most recent vulnerabilities as a result of a lack of spending for systems and security solutions.

Further, controlling and managing the numerous personal devices that students and staff members bring into these organizations is another issue. Due to the possibility of them interacting with personal files via cloud services, these personal gadgets carry an inherent risk.

“Although these sectors might have dedicated IT or security teams that run traditional security solutions such as an intrusion detection system (IDS) or intrusion prevention system (IPS), ransomware threat actors are leveraging living off the land techniques that can effectively circumvent traditional signature-based detection mechanisms”, researchers

Figure 2 is a graph chart showing years 2021 and 2022 showing a significant spike at the beginning of the school year for 2022, 2021. The graph starts in January and ends in December.
Vice Society activity timeline (education-specific leak site victim data)

The majority of the group’s victims are organizations in the United States, United Kingdom, Spain, France, Brazil, Germany, and Italy.

Geographic Distribution

Vice Society appears to have had the greatest influence on educational institutions this year, according to data from leak sites, with at least 33 educational institutions identified on the group’s dedicated ransomware leak site.

Vice Society’s observations on Ransom Demands

  • Initial demands by this actor could exceed $1 million.
  • Final demands after negotiations were as high as $460,000.
  • The difference between initial demands and final demands could be significant. It decreases by as large as 60%.

Implement Security Best Practices

The reports say school districts with low resources and cybersecurity expertise are frequently the ones most at risk from threat actors. 

Further, schools with strong cybersecurity programs may be at risk due to the opportunistic targeting frequently observed with cyber criminals. Due to the volume of sensitive student data that is accessible through school systems or its managed service providers, K-12 institutions may be considered as particularly profitable targets.

Therefore, it is recommended that educational institutions should keep up the implementation of security best practices and be alert to the continuous ransomware threat, particularly at the beginning and end of the school year.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

Deloitte Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...