Get in Touch
Vice Society attempts to extort UK school by posting sensitive files
Target Industry
Education sector.
Overview
On 2nd February 2023, the Vice Society ransomware group claimed to have stolen sensitive data from Guildford County School, the most recent British educational establishment that they have targeted. It was reported that hundreds of files were posted to the group’s leak site on the dark web. Several of these contain file names, indicating that they contain ‘safeguarding reports’ — documents that teachers write to record information regarding at-risk students.
At the time of writing, further details regarding the extent or nature of the attack have not officially been released. However, the school has confirmed that they will continue to operate whilst the incident is subjected to further analysis.
Impact
Successful exploitation by one of Vice Society’s ransomware strains will result in the encryption and exfiltration of significant quantities of data contained on target systems. The ransom fee demanded will almost certainly depend on the estimated value of the compromised organisation.
Vice Society’s double extortion strategy will almost certainly result in all compromised data being published to dark web forums, where there is a realistic possibility that stolen data will be used for initial compromise in future attacks. This was the case in this instance.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats, such as Vice Society’s ransomware suite. EDR tools can alert system users of potential breaches and stop further progress before the malware can cause significant damage.
Affected Products
Although the particular ransomware strain associated with the attack reported has yet to be made public, the following Vice Society ransomware strains affect the correlating products:
– HelloKitty ransomware – Linux
– Zeppelin ransomware – Windows OS
– PolyVice ransomware – Unknown: likely targets both Windows OS and Linux.
Containment, Mitigations & Remediations
It is recommended that employees receive training on how to identify signs of phishing emails. A common initial ingress mechanism utilised by Vice Society is the use of spear phishing. Whilst user awareness would assist in reducing the likelihood of successful exploitation, in-house training won’t be able to prevent attacks led by threat actors with stolen data obtained via stealware or other harvesting methods.
Additional technical controls should also be explored, including the implementation of:
– Multi-factor Authentication (MFA) protocol for all users
– Conditional Access Policies
– Web proxy filtering on low- or non-reputation domains.
As previously mentioned, Vice Society has historically targeted systems by exploiting known vulnerabilities such as PrintNightmare. It is therefore strongly advised to ensure that PrintNightmare patches, provided by Microsoft, have been installed on all associated systems.
As mentioned above, the main method of reducing the threat posed by Vice Society ransomware is to detect it in the early stages through the use of an effective and monitored EDR solution. Organisations can also perform routine back-ups of sensitive data that is required for business operations and to keep an offline copy in the event that the back-ups are impacted by the attack. Therefore, if a breach occurs and the organisation can no longer function, a back-up is ready to use, and the business can continue to operate with minimal disruption. However, this does not nullify the fact that organisational data may have also been lost, and potentially released, as was the case in this attack.
Indicators of Compromise
HelloKitty ransomware associated SHA256 file hashes:
– 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe
– 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0
– ccacf4658ae778d02e4e55cd161b5a0772eb8b8eee62fed34e2d8f11db2cc4bc
– 61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9
– 99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e
– 02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851
– fdc2de095390ec046dc3f398a47a38670282bdc2ef76dd7fc1195ac4ee0421a8
– 0e5f7737704c8f25b2b8157561be54a463057cd4d79c7e016c30a1cf6590a85c
– 3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9
– 7be901c5f7ffeb8f99e4f5813c259d0227335680380ed06df03fb836a041cb06
– a147945635d5bd0fa832c9b55bc3ebcea7a7787e8f89b98a44279f8eddda2a77
– c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e
– 3b90d9fad35a45a738c6b2830896168c99014474de17984411be61b25acf6db56
– 7d57e0ba8b36ec221b16807ce4e13a1125d53922fa50c3827a5ebd6811736ffd
– c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323
– fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
– 947e357bfdfe411be6c97af6559fd1cdc5c9d6f5cea122bf174d124ee03d2de8
– dc007e71085297883ca68a919e37687427b7e6db0c24ca014c148f226d8dd98f
– 18229920a45130f00539405fecab500d8010ef93856e1c5bcabf5aa5532b3311
– 10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768Z
Zeppelin ransomware associated SHA256 file hash:
– a820dbdaa8f89c3f47a4bd95ae40a8220b1d444c062a0f776f7c140ce7b7ce69P
PolyVice ransomware associated SHA256 file hashes:
– 1df9b68a8642e6d1fcb786d90a1be8d9633ee3d49a08a5e79174c7150061faa8
– f366e079116a11c618edcb3e8bf24bcd2ffe3f72a6776981bf1af7381e504d61
Vice Society domains:
– bitron[.]com
– glutz[.]com
– imacorp[.]com
– kinetic[.]ph
– afasd[.]net
– albina[.]com
– avsolutionsltd[.]com
– baysgarthschool[.]co[.]uk
– capitalpower[.]com
– cristalcontrols[.]com
– dixonsaa[.]com
– feuvert[.]es
– fiscosaudepe[.]com[.]br
– fvsra[.]org
– grandview[.]org
– gruposifu[.]com
– hollerclassic[.]com
– huntsvilletexas[.]com
– huntsvilletx[.]gov
– hydro-gear[.]com
Threat Landscape
Vice Society has been detected to have concentrated their attack efforts towards organisations within the educational sector and, with their development of a new ransomware variant, it is highly likely that such attack efforts will continue.
Threat Group
Ransomware and their affiliated groups are engaged in a constant cycle of adaptation and notoriety. A relatively new variant of ransomware may emerge and within just a few months it can achieve significant status as a high-profile threat. PolyVice is one such example. This ransomware poses a heightened threat to victim networks as there has not been enough time for security experts to fully dissect and learn its operating methods, and therefore an expansive library of Indicators of Compromise is still being compiled.
The Vice Society group operates much like other online criminal groups by utilising the double extortion technique. This means that not only does the group encrypt the private data of the victim and demand a ransom for the keys, but they also threaten them with the publication of the data on their own dark web site. This is likely designed to increase pressure on the victim and increase the likelihood of payment, as the publication of data can cause security concerns in the future.
Mitre Methodologies
HelloKitty/Zeppelin ransomware:
T1595 – Active Scanning
T1592 – Gather Victim Host Information
T1566 – Phishing
T1078 – Valid Accounts
T1059.001– Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1569.002 – System Services: Service Execution
TA0009– Collection
T1053 – Scheduled Task/Job
T1098 – Account Manipulation
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1070.001 – Indicator Removal: Clear Windows Event Logs
T1070.003 – Indicator Removal: Clear Command History
T1562.001 – Impair Defenses: Disable or Modify Tools
T1564.001– Hide Artifacts: Hidden Files and Directories
T1003.003 – OS Credential Dumping: NTDS
T1021.001– Remote Services: Remote Desktop Protocol
T1090.002 – Proxy: External Proxy
T1020 – Automated Exfiltration
T1486 – Data Encrypted for Impact
T1531 – Account Access Removal
PolyVice ransomware:
T1592 – Gather Victim Host Information
T1566 – Phishing
T1078 – Valid Accounts
T1037 – Boot or Logon Initialization Scripts
T1070.004 – Indicator Removal: File Deletion
T1497.001– Virtualization/Sandbox Evasion: System Checks
T1003 – OS Credential Dumping
T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1491.001 – Defacement: Internal Defacement