Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Vice Society Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs   August 22, 2022   Ransomware

Vice Society is a lesser-known ransomware group that buys and modifies ransomware payloads developed by RaaS groups such as HelloKitty and Zeppelin. Vice Society publishes a list of its victims in its Data Leak Site (DLS) and releases its victims’ exfiltrated data on the DLS if they do not pay the ransom. Ransomware groups often avoid healthcare and government organizations; however, Vice Society does not refrain from targeting any industry.
Metadata

Associated Groups

Affiliates - HelloKitty ransomware, Zeppelin ransomware

Associated Country

-

First Seen

June 2021

Target Sectors

Construction, Education, Entertainment, Financial Services, Government, Healthcare, Hospitality, Insurance,Manufacturing, Retail, Utilities, Telecommunications

Target Countries

Argentina, Austria, Brazil, Canada, Colombia, France, Germany, Greece, Indonesia, Italy, Malaysia, New Zealand, Netherlands, Saudi Arabia, Spain, Sweden, Thailand, United Kingdom, United States
Modus Operandi

Business Models

Ransomware-as-a-Service (RaaS) affiliate

Triple Extortion

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration
Exploited Applications and Vulnerabilities by Vice Society

Application

Vulnerability

CVE

CVSS

Windows Print Spooler

Remote Code Execution

CVE-2021-1675

8.8 High

Windows Print Spooler

Remote Code Execution

CVE-2021-34527

8.8 High
Utilized Tools and Malware by Vice Society

MITRE ATT&CK Tactic

Tools

Execution

PsExec 

Proxychains 

WMI

Defence Evasion

Reg.exe

Wevtutil

Credential Access

NTDSUtil

Discovery

Net.exe

Nltest

Lateral Movement

Mstsc

PsExec

Impact

HelloKitty Ransomware (modified) 

Zeppelin Ransomware (modified)

  • [1]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [2]     “ProxyChains - TCP and DNS through proxy server. HTTP and SOCKS.” [Online]. Available: http://proxychains.sourceforge.net. [Accessed: Jul. 07, 2022]

  • [3]     “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: Aug. 03, 2022]

  • [4]     S. Özarslan, “MITRE ATT&CK T1562 Impair Defenses.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1562-impair-defenses (accessed Jul. 14, 2022).

  • [5]     JasonGerend, “wevtutil.” [Online]. Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil. [Accessed: Jul. 07, 2022]

  • [6]       S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).

  • [7]     “Net.exe.” https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2 (accessed Jul. 06, 2022).

  • [8]     Archiveddocs, “Nltest.” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11). [Accessed: Jul. 07, 2022]

  • [9] “SDBbot.” [Online]. Available: https://attack.mitre.org/software/S0461/. (Accessed: Jul. 07, 2022)

  • [10]     F. Fkie, “HelloKitty (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty. [Accessed: Jul. 20, 2022]

  • [11]     F. Fkie, “Zeppelin (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin. [Accessed: Jul. 20, 2022]

Related Content

August 22, 2022   •   Ransomware

Conti Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

BlackCat Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

Hive Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

Black Basta Ransomware Gang

READ MORE

DISCOVER
MORE RESOURCES

AvosLocker Ransomware Group

Read More

Snatch Ransomware Gang

Read More

Clop Ransomware Gang

Read More