Introduction
Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.
Activities and Tactics
Country of Origin: 🇷🇺 Russia
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Microsoft Products | Windows | CLFS | CVE-2022-24521 |
| Microsoft Products | Windows | Print Spooler | CVE-2021-1675, CVE-2021-34527 |
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- PowerDuke
- POWERSTATS
- Power Loader
- POWERSOURCE
- PowerRAT
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Discovery | Advanced IP Scanner, Advanced Port Scanner |
| Exfiltration | MEGA, RClone, WinSCP |
| LOLBAS | Minidump, NTDS Utility (ntdsutil), PsExec, WMIC |
| Networking | Proxychains |
| OffSec | Cobalt Strike, Impacket, PowerShell Empire, PowerSploit |
| RMM Tools | PowerAdmin |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
References pending cataloguing.