{"id":20043,"date":"2022-09-07T16:10:18","date_gmt":"2022-09-08T00:10:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/09\/07\/news-13776\/"},"modified":"2022-09-07T16:10:18","modified_gmt":"2022-09-08T00:10:18","slug":"news-13776","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/09\/07\/news-13776\/","title":{"rendered":"Warning issued about Vice Society ransomware targeting the education sector"},"content":{"rendered":"

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint  Cybersecurity Advisory (CSA)<\/a> after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks.<\/p>\n

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.<\/p>\n

This CSA is part of an ongoing #StopRansomware<\/a> effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. After issuing advisories about MedusaLocker<\/a> and Zeppelin ransomware<\/a>, this is the third CSA of 2022 which aims to provide technical information on ransomware variants and ransomware threat actors.<\/p>\n

Vice Society<\/h2>\n

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Malwarebytes has been tracking the group since December 2020. Due to similarities in naming and tactics we suspect there is a tie to the HelloKitty ransomware<\/a> group. Both use the .kitty<\/em> or .crypted<\/em> file extension for encrypted files. According to CISA, the Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty\/Five Hands and Zeppelin ransomware, but may just as easily deploy other variants in the future.<\/p>\n

The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.<\/p>\n

Tactics<\/h2>\n

Vice Society has been known to exploit known vulnerabilities in SonicWall products<\/a>, and the set of vulnerabilities commonly referred to as PrintNightmare<\/a>. The CSA also mentions the gang exploiting internet-facing applications without providing details.<\/p>\n

Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrate data. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike<\/a> in order to move laterally.<\/p>\n

Los Angeles Unified school district<\/h2>\n

In a recent example of a school district targeted by ransomware, the huge Los Angeles Unified School District fell victim to a ransomware attack<\/a>. LAUSD is the second largest school district In the US, and the attack targeted the LAUSD’s information technology systems during the Labor Day weekend. Authorities moved to shut down many of the district’s most sensitive platforms over the weekend to stop the spread and restrict the damage, and by Tuesday most online services — including key emergency systems — were operating safely.<\/p>\n

The attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down.<\/p>\n

An investigation involving the FBI, the Department of Homeland Security and local law enforcement is underway. <\/p>\n

Mitigation<\/h2>\n

From the example above we can see that constant monitoring and adequate intervention helped to limit the impact.<\/p>\n

Besides IOCs and attack techniques, the CSA provides a lot of mitigation advice. Since the techniques used by the Vice Society group are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators<\/a>.<\/p>\n

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups, for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.<\/p>\n

Backups<\/h3>\n

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. This makes it less likely that you will be severely interrupted, and\/or only have irretrievable data, in the event of a ransomware attack.<\/p>\n

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.<\/p>\n

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.<\/p>\n

Authentication<\/h3>\n

Require all accounts with password logins to meet the required standards for developing and managing password policies:<\/p>\n