Ransomware activity continues to rise in prevalence and significance. As such, professionals across all industries - especially those in the health and education sectors - agree that Vice Society, a double extortion ransomware threat group, is a major threat for organizations.
What is Vice Society?
Vice Society is a stealthy threat actor that has been carrying out double extortion ransomware attacks since mid-2021. The group gained notoriety for their extortion tactics which includes both the encryption and exfiltration of a victim’s sensitive data, with the attackers threating to publish the information to a data leak site if the requested ransom is not paid.
Vice Society has a reputation for being one of the few cyber-criminal groups whose modus operandi remains unknown. Specifically, the group meticulously deletes all details related to their double extortion activities to hinder investigation and future preparedness efforts.
How does Vice Society carry out double extortion attacks on their victims?
Vice Society leverages highly destructive techniques. During the data exfiltration and ransomware execution phases, their efforts are extensive, and can be broken down into three steps:
- First, they exfiltrate sensitive data from the victim's environment.
- Second, the group encrypts a victim’s domain and active directory assets, and virtualization level infrastructure.
- Lastly, they lock administrators out of all relevant accounts to impede recovery and restoration efforts.
Throughout the entire cyber-attack, Vice Society deletes logs and traces of evidence that could provide insights into their origins and operations. For a more detailed breakdown of Vice Society’s tactics, techniques, and procedures including forensics data, read our free report: The Vice Society TTPs: Insights from a Real-World Ransomware Investigation.
Why should the health and education sectors be on the lookout for Vice Society?
When evaluating Vice Society’s human-operated attacks, we see that the group targets a disproportional amount of small to medium-sized education and healthcare organizations across the United States and Europe.
On September 6, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert about Vice Society attacks targeting the education sector identified by the Federal Bureau of Investigation (FBI) as recently as September 2022.
In addition, when asked by BleepingComputer in the fall of 2021 why they target these sectors, they stated, “Why not? They always keep our private data open. You, me and anyone else go to hospitals, give them our passports, share our health problems etc. and they don't even try to protect our data. They have billions of government money. Do they steal that money? USA president gave a big amount to protect government networks and where is their protection? Where is our protection? If IT departments don't want to do their job we will do ours and we don't care if it’s a hospital or university."
While many ransomware groups self-regulate and refrain from targeting these sectors, we see that Vice Society has a proclivity for attacking them. As such, it’s pertinent that these sectors remain vigilant in their proactive defense, adversarial security, and incident response.
What attacks have Vice Society been linked to recently?
Over the past 18 months, Vice Society has been publicly linked to the following health and education attacks:
- In August 2022, the Linn-Mar Community School District in Cedar Rapids, Iowa, was reportedly attacked by the threat actors. The K-12 School District reported that it was experiencing “technical difficulties, resulting in a disruption to certain computer systems.” As a result, the District admitted to hiring third-party specialists to investigate, assess, and restore the system capabilities.
- In June 2022, the Medical University of Innsbruck, Australia experienced an attack on their IT infrastructure that impacted 3,400 students and 2,200 employees. According to the University, “intensive work” was done with external experts to restore services.
- In 2021, United Health Centers, a California-based community health organization experienced a Vice Society ransomware attack that disrupted their locations state-wide and resulted in the theft of sensitive patient data.
How can Sygnia help organizations of various industries confront ransomware attacks?
Sygnia is at the forefront of helping the world’s leading organizations respond to complex ransomware attacks. The company’s state-level experts have a deep understanding of ransomware groups attack methods and TTPs and help organizations prevent, detect and respond to an attack as well as recover after an incident.
If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at firstname.lastname@example.org or our 24-hour hotline +1-877-686-8680.
Contributors: Oren Biderman, Shani Adir Nissim, Noam Lifshitz, Eran Liloof, Or Zuckerman Farkash.
This blog post and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this blog post. This blog post is provided on an as-is basis, and without warranties of any kind.