Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns

hacker group Vice Society

Microsoft experts have published a report on the hacker group Vice Society (aka DEV-0832), which uses ransomware to attack the educational sector in the US and other countries around the world.

According to experts, the attackers are switching between using BlackCat, QuantumLocker, Zeppelin ransomware and another variant of Zeppelin, which is used under the “brand” of Vice Society.

Let me remind you that we also reported that BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator and also that The Austrian Company DSIRF Was Linked to the Knotweed Hack Group and the Subzero Malware.

The Vice Society group has been active since June 2021 and is known for using several varieties of ransomware in the networks of its victims. In addition to encrypting files, criminals steal data from compromised systems and use it for double extortion, threatening victims to release information online if ransom demands are not met.

One of the biggest and most famous victims of the Vice Society has recently been the second largest school district in the United States, LAUSD (Los Angeles Unified School District, Los Angeles Unified School District).

As Microsoft Security Threat Intelligence analysts now write, from July to October 2022, the group alternated the use of the malware listed above, and in September also used a modified version of its own RedAlert payload, which adds the .locked extension to encrypted files.

Bleeping Computer journalists note that in addition to the malware mentioned in the experts’ report, the group also uses the HelloKitty/Five Hands ransomware in its attacks.

In addition, sometimes Vice Society skips the data encryption step altogether, and operators prefer to simply steal confidential data from their victims’ networks and demand a ransom under the threat of a “drain”.

Microsoft writes that the group “continues to focus on organizations with weak security measures” that are easy to hack and ransom. In particular, the Vice Society clearly focuses on the education sector.

Microsoft believes that in some cases, the group did not deploy ransomware at all and likely carried out ransomware using only stolen data, the researchers write. – The shift from using RaaS BlackCat (Ransomware-as-a-Sevice, Ransomware-as-a-Service) to fully purchasable malware (Zeppelin) and Vice Society’s own custom variant indicates that DEV-0832 has extensive connections in cybercriminal environment and tests ransomware payloads for effectiveness, as well as ransomware capabilities after ransomware attacks.the experts conclude.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *