{"id":124324,"date":"2022-10-25T09:00:00","date_gmt":"2022-10-25T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124324"},"modified":"2023-10-13T07:12:39","modified_gmt":"2023-10-13T14:12:39","slug":"dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/25\/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector\/","title":{"rendered":"DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector"},"content":{"rendered":"\n
\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0832<\/strong> is now tracked as Vanilla Tempest<\/strong>. <\/p>\n\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n

In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat<\/a>, QuantumLocker<\/a>, and Zeppelin<\/a>, DEV-0832\u2019s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety<\/em>, .v-society<\/em>, and, most recently, .locked<\/em>. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.<\/p>\n\n\n\n

DEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832\u2019s previous opportunistic attacks have affected various industries like local government and retail. Microsoft assesses that the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors, including the use of PowerShell scripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like SystemBC<\/em>.<\/p>\n\n\n\n

Ransomware has evolved into a complex threat that\u2019s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by reading our ransomware as a service blog<\/a>.<\/p>\n\n\n\n

In this blog, we detail Microsoft\u2019s analysis of observed DEV-0832 activity, including the tactics and techniques used across the group\u2019s campaigns, with the goal of helping customers identify, investigate, and remediate activity in their environments. We provide hunting queries to help customers comprehensively search their environments for relevant indicators as well as protection and hardening guidance to help organizations increase resilience against these and similar attacks.<\/p>\n\n\n\n

Who is DEV-0832 (Vice Society)?<\/h2>\n\n\n\n

Microsoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a unique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an initial foothold in compromised networks, DEV-0832 has reportedly exploited vulnerable web-facing applications and used valid accounts<\/a>. However, due to limited initial signals from affected organizations, Microsoft has not confirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for disclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and exfiltrate data, and deploy ransomware.<\/p>\n\n\n\n

After deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the group\u2019s [.]onion<\/em> site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the actors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a ransomware payload in favor of simple extortion\u2014threatening to release stolen data unless a payment is made.<\/p>\n\n\n\n

The group also goes to significant measures to ensure that an organization cannot recover from the attack without paying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user passwords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some devices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or post-compromise incident response.<\/p>\n\n\n\n

Toolset<\/h3>\n\n\n\n

Ransomware payloads<\/h4>\n\n\n\n

Microsoft has observed DEV-0832 deploy multiple commodity ransomware variants over the past year: BlackCat, QuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware. While many ransomware groups have shifted away from branded file extensions in favor of randomly generated ones, DEV-0832 incorporated branding with their Vice Society variant using .v-s0ciety<\/em> or .v-society<\/em> file extensions. Most recently in late September 2022, DEV-0832 again modified their ransomware payload to a variant dubbed RedAlert, using a .locked<\/em> file extension.<\/p>\n\n\n\n

In one July 2022 intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker binaries, then within five hours, attempt to deploy suspected Zeppelin ransomware binaries. Such an incident might suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution. The shift from a ransomware as a service<\/a> (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities.<\/p>\n\n\n\n

In many intrusions, DEV-0832 stages their ransomware payloads in a hidden share on a Windows system, for example accessed via a share name containing \u201c$\u201d. Once DEV-0832 has exfiltrated data, they then distribute the ransomware onto local devices for launching, likely using group policy, as shown in the below command:<\/p>\n\n\n\n

\"\"
Figure 1. Group policy to distribute ransomware onto local devices<\/figcaption><\/figure>\n\n\n\n

The group also has cross-platform capabilities: Microsoft identified the deployment of a Vice Society Linux Encryptor on a Linux ESXi server.<\/p>\n\n\n\n

PowerShell scripts<\/h4>\n\n\n\n

DEV-0832 uses a PowerShell script to conduct a variety of malicious activities and make system-related changes within compromised networks. Like their ransomware payloads, DEV-0832 typically stages their PowerShell scripts on a domain controller.<\/p>\n\n\n\n

Microsoft security researchers have observed several variations among identified DEV-0832 PowerShell scripts, indicating ongoing refinement and development over time\u2014while some only perform system discovery commands, other scripts are further modified to perform persistence, defense evasion, data exfiltration, and even distribute the ransomware payloads.<\/p>\n\n\n\n

Commodity tools<\/h4>\n\n\n\n

According to Microsoft investigations, DEV-0832 has used two commodity backdoors in ransomware attacks: SystemBC<\/em> and PortStarter<\/em>.<\/p>\n\n\n\n

SystemBC<\/em> is a post-compromise commodity remote access trojan (RAT) and proxy tool that has been incorporated into multiple diverse ransomware attacks. In one DEV-0832 intrusion, the attacker used both a compromised domain admin user account and a compromised contractor account to launch a PowerShell command that launched a SystemBC<\/em> session under the value name \u201csocks\u201d:<\/p>\n\n\n\n

\"\"
Figure 2. Powershell command launching a SystemBC session named \u2018socks\u2019<\/figcaption><\/figure>\n\n\n\n

PortStarte<\/em>r is a backdoor written in Go. According to Microsoft analysis, this malware provides functionality such as modifying firewall settings and opening ports to connect to pre-configured command-and-control (C2) servers.<\/p>\n\n\n\n

DEV-0832 has also deployed ransomware payloads using the remote launching tool Power Admin. Power Admin is a legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing. If an organization has enabled Console Security settings within Power Admin, an attacker must have credentials to make authorized changes.<\/p>\n\n\n\n

Other commodity tools identified in DEV-0832 attacks include Advanced Port Scanner and Advanced IP Scanner for network discovery.<\/p>\n\n\n\n

Abuse of legitimate tooling<\/h4>\n\n\n\n

Like many other ransomware actors, DEV-0832 relies on misusing legitimate system tools to reduce the need to launch malware or malicious scripts that automated security solutions might detect. Observed tools include:<\/p>\n\n\n\n