7/1/2023 0 Comments Malwarebytes ransomwareThere’s a good argument for not paying too: doing so encourages more attacks and there’s no guarantee you’ll get your data back either way. It seems like they’re open to negotiating their initial ransomsįirst things first, the FBI recommends never paying the ransom to attackers. Address exploits by maintaining regular vulnerability assessment and patching, preferably using an automated tool.ĥ.Address compromised accounts by removing dormant accounts, enforcing the principle of least privilege, and having strict password policies.Address phishing with employee training, web-based protection, and DNS filtering.Our advice is as old as time, but always worth reiterating: Three ways Vice Society is known to get initial access (with MITRE IDs) Vice Society is not reinventing the wheel: these threat actors are using familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold in victim networks. Using a combination of data from Unit 42 and the Cybersecurity Advisory (CSA) posted on, we can paint a pretty good picture of how Vice Society is getting initial access to their targets. But how can we stop them from entering in the first place? So we know what Vice Society is doing once they’re in school networks and how to detect it. We know how they get initial access to networks Instead, you’ll need to turn to an Endpoint Protection Platform (EPP) that uses a combination of machine learning, behavioral analysis, and sandboxing. That means you won’t be able to detect them using traditional signature-based detection mechanisms-hash values, IOCs and signatures do not detect living off the land attacks. Vice Society and other adversaries can use WMI to gain access to a system and then execute malicious code, install malware, or steal sensitive information. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location. Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. Living off the land (LOTL) attacks are when threat actors use legitimate tools for malicious purposes, which effectively allows them to hide in plain sight as they carry out their attack. They leverage living off the land techniques to sneak past detection That’s more than any other RaaS gang so far this year. And they have shown no signs of slowing down in 2023Īs of January 2023, Vice Society has already published the data of six schools on their leak site. Like many other ransomware gangs, Vice Society is known to steal information from victims' networks before encryption for the purposes of double extortion-threatening to publish the data on the dark web unless you pay up the ransom they demand.Ī few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US.Īround 40% of the victims shared on the Vice Society leak site are educational institutions, a large proportion compared to other gangs. It wasn't until Vice Society, however, that we saw a gang taking their love for the sector to a whole new level. If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least. In 2022 they were far and away the biggest attackers on the education sector In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent threat. The more the education sector knows about Vice Society, the better prepared they get to defend against them. The Federal Bureau of Investigation (FBI) has even released a joint Cybersecurity Advisory (CSA) after observing that Vice Society has disproportionately targeted the education sector.īut with knowledge comes power. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Move over Lockbit, there's a new ransomware-as-a-service (RaaS) player in town attacking the education sector-and its name is Vice Society.
0 Comments
Leave a Reply. |