Vice Society attacks Ecolog International

The Vice Society ransomware gang has attacked Ecolog International. Ecolog International is a multinational company based in Dubai, United Arab Emirates. It utilizes technology and supply chain management to offer services to diverse industries such as energy, construction, facility management, and the environment. Vice Society posted Ecolog International to its data leak site on March 17th but provided no further information. Vice Society emerged in the summer of 2021. They engage in intrusion, exfiltration, and extortion activities. Rather than creating their own unique ransomware, the group deploys versions of existing ransomware strains like Hello Kitty/Five Hands and Zeppelin. However, they may adopt different variants in the future. Vice Society gains initial access to networks by exploiting compromised credentials through internet-facing applications. Before deploying ransomware, they thoroughly explore the network, looking for opportunities to expand their access and steal data. They employ a tactic known as double extortion, where they threaten to release sensitive information unless a ransom is paid. The group uses various tools like SystemBC, PowerShell Empire, and Cobalt Strike for lateral movement. They also employ techniques such as abusing the legitimate Windows Management Instrumentation (WMI) service and manipulating shared content. Vice Society takes advantage of the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges. They ensure persistence by utilizing scheduled tasks, creating hidden autostart Registry keys, and manipulating legitimate services by loading their own malicious dynamic link libraries (DLLs) through DLL side-loading. To avoid detection, the group disguises their malware and tools as legitimate files employs process injection, and likely uses evasion techniques to bypass automated dynamic analysis. Additionally, Vice Society targets domain administrator accounts, changes victims' network account passwords, and escalates privileges to impede remediation efforts.