FBI, CISA Ransomware Alert Warns of Vice Society Targeting Education Orgs

  • By Kristal Kuykendall
  • 09/06/22

A joint Cybersecurity Advisory released today by the FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center warns that Vice Society threat actors are disproportionately targeting the education sector as recently as this month.

Such so-called #StopRansomware advisories describe observed tactics, techniques, and procedures as well as indicators of compromise to help organizations protect themselves against the newest ransomware threats.

"The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks," the advisory states, adding that organziations with limited cybersecurity capabilities and constrained resources are often the most vulnerable, yet the opportunistic targeting often seen with cyber criminals can still put those with robust cybersecurity programs at risk.

The advisory includes technical details of the Vice Society TTPs, using the MITRE ATT&CK® for Enterprise framework, version 11. The technical details included in the advisory are as follows, verbatim from the report (each of which is explained in further detail in the full advisory PDF):

  • Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.
  • Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190].
  • Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [TA0010] for double extortion — a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom.
  • Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used "living off the land" techniques targeting the legitimate Windows Management Instrumentation (WMI) service [T1047] and tainting shared content [T1080].
  • Vice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges [T1068]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [T1053], creating undocumented autostart Registry keys [T1547.001], and pointing legitimate services to their custom malicious dynamic link libraries through a tactic known as DLL side-loading [T1574.002].
  • Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [T1036], using process injection [T1055], and likely use evasion techniques to defeat automated dynamic analysis [T1497].
  • Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims' network accounts to prevent the victim from remediating.

The advisory also lists specific Indicators of Compromise such as e-mail addresses, TOR addresses, IP addresses, and file hashes for IT practitioners to be on the lookout for, pictured below.

The Cybersecurity Advisory report includes these Indicators of Compromise specific to Vice Society ransomware currently targeting educational organizations in the United States

Mitigation recommendations make up the last three pages of the advisory, along with a reminder that "all organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field. State, local, tribal, and territorial (SLTT) organizations should report incidents to MS-ISAC (866-787-4722 or SOC@cisecurity.org). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact."

The advisory emphasizes that the FBI is seeking "any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file."

Finally, it advises against paying any ransom: "The FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities."

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at kkuykendall@1105media.com.


Featured

  • hand touching glowing connected dots

    Registration Now Open for Tech Tactics in Education: Thriving in the Age of AI

    Tech Tactics in Education has officially opened registration for its May 7 virtual conference on "Thriving in the Age of AI." The annual event, brought to you by the producers of Campus Technology and THE Journal, offers hands-on learning and interactive discussions on the most critical technology issues and practices across K–12 and higher education.

  • minimalist bookcase filled with textbooks featuring vibrant, solid-colored spines with no text, and a prominent number "25" displayed on one of the shelves

    OpenStax Celebrates 25th Anniversary

    OpenStax is celebrating its 25th anniversary as 2024 comes to a close. The open educational resources initiative from Rice University has served almost 37 million students in 153 countries and saved students nearly $3 billion in course material costs since its launch in 1999.

  • human figures surrounded by precise arcs with book and gear icons

    Kennedy-King College Rolls Out Holistic Student Support Program

    Chicago's Kennedy-King College is expanding student support services through a collaboration between City Colleges of Chicago and One Million Degrees (OMD), a Chicago-based nonprofit serving low-income community college students.

  • futuristic AI interface with glowing data streams and abstract neural network patterns

    OpenAI Launches Its Largest AI Model Yet in Research Preview

    OpenAI has announced the launch of GPT-4.5, its largest AI model to date, code-named Orion. The model, trained with more computing power and data than any previous OpenAI release, is available as a research preview to select users.