Due to a rapid increase in ransomware attacks directed at schools, the CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) #StopRansomware: Vice Society. The advisory is directed toward the Russian-based ransomware threat group Vice Society which has been targeting US school districts since its first appearance in 2021.
The advisory addressed the indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs) investigated by the FBI until September 2022. According to reports, the Vice Society has targeted kindergarten through 12th grade over the past few years. This has become a cause of concern for the security of the education sector.
Modus operandi of Vice Society
The modus operandi of Vice Society includes restricting access to systems which has disrupted standard school functionality. “Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff,” the advisory read.
These malware attacks have become more accessible by criminal groups because of the Ransomware as a Service (RaaS) business model, where operators seek payment in return for selling or renting ransomware to cybercriminals.
Vice Society uses versions of Hello Kitty/Five Hands and Zeppelin ransomware, as discovered by the investigative agencies. Zeppelin ransomware belongs to the Delphi-based Vega malware family that seeks payment in Bitcoin.
Gaining unauthorized access
The investigations have led to speculations that Vice Society likely gains access to the target’s system by exploiting internet-facing applications to hack login credentials. Exploring the network, identifying weaknesses in the system and increasing access is followed. After scanning through the systems with these steps, they exfiltrate system data. Exfiltrating data is done after gaining unauthorized access to data, after which data is moved from the source to another location.
Indicators of Compromise (IOCs)
As per reports, the following are the email addresses that Vice Society used:
- v-society.official@onionmail[.]org
- ViceSociety@onionmail[.]org
- OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org
The IP addresses for C2 of Vice Society are:
5.255.99[.]59
5.161.136[.]176
198.252.98[.]184
194.34.246[.]90
Users urged to comply with security standards
Ransomware attacks on the education sector have led to users’ data theft, including the staff and students. It can be misused in several ways, as the group has indicated in their warnings. School authorities have been asked to stay in constant touch with the FBI and the CISA to mitigate potential threats quickly. While some schools, like the Cedar Rapids School District, have been known to have paid the ransom, the FBI has requested victims not to pay a ransom. Paying only encourages the gangs to continue their attacks and does not ensure freedom from future attacks.
Some of the mitigations suggested by the agencies are:
- Maintaining offline backups of data to minimize the impact on the institutions.
- Ensuring that the backed-up data of the entire organization is encrypted to protect it from deletion.
- Review the security of third-party vendors and others connected to monitor suspicious activities.
- Implementing listing policies for applications that allow known programs only.
- Monitoring remote connections quickly denies access to unapproved solutions installed on a workstation.
- Implementing a recovery plan to retain multiple copies of sensitive data in secure locations like a hard drive.
With the reliance of school systems on networks, ransomware attacks on schools are predicted to increase in the coming years. Since some sectors and systems lag in updating online security tools, gangs such as Vice Society can profit easily by exploiting vulnerable systems.