Vice Society attacks Ecolog International
Incident Date:
March 17, 2023
Overview
Title
Vice Society attacks Ecolog International
Victim
Ecolog International
Attacker
Vicesociety
Location
First Reported
March 17, 2023
Vice Society Ransomware Gang Attacks Ecolog International
The Vice Society ransomware gang has attacked Ecolog International. Ecolog International is a multinational company based in Dubai, United Arab Emirates. It utilizes technology and supply chain management to offer services to diverse industries such as energy, construction, facility management, and the environment. Vice Society posted Ecolog International to its data leak site on March 17th but provided no further information.
About Vice Society
Vice Society emerged in the summer of 2021. They engage in intrusion, exfiltration, and extortion activities. Rather than creating their own unique ransomware, the group deploys versions of existing ransomware strains like Hello Kitty/Five Hands and Zeppelin. However, they may adopt different variants in the future.
Method of Operation
Vice Society gains initial access to networks by exploiting compromised credentials through internet-facing applications. Before deploying ransomware, they thoroughly explore the network, looking for opportunities to expand their access and steal data. They employ a tactic known as double extortion, where they threaten to release sensitive information unless a ransom is paid.
The group uses various tools like SystemBC, PowerShell Empire, and Cobalt Strike for lateral movement. They also employ techniques such as abusing the legitimate Windows Management Instrumentation (WMI) service and manipulating shared content. Vice Society takes advantage of the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges.
They ensure persistence by utilizing scheduled tasks, creating hidden autostart Registry keys, and manipulating legitimate services by loading their own malicious dynamic link libraries (DLLs) through DLL side-loading. To avoid detection, the group disguises their malware and tools as legitimate files, employs process injection, and likely uses evasion techniques to bypass automated dynamic analysis.
Additionally, Vice Society targets domain administrator accounts, changes victims' network account passwords, and escalates privileges to impede remediation efforts.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.