A threat group known as Vice Society has been switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.
While this isn’t necessarily new information, since the group is known for using multiple ransomware strains in some attacks, Microsoft has also seen them use this tactic against organizations in the U.S. education sector between July and October 2022.
As Microsoft Security Threat Intelligence analysts shared in a report published today, Vice Society (tracked by Redmond as DEV-0832) has been swapping between BlackCat, QuantumLocker, Zeppelin, and a Vice Society-branded variant of Zeppelin ransomware.
Since September, they’ve shifted to a modified version of their payload dubbed RedAlert that adds the .locked file extension to encrypted documents, according to Microsoft’s analysts.
While Vice Society runs its own data leak site, it should be noted that the RedAlert and BlackCat operations have their own leak sites as well.
Besides the strains mentioned in the report, BleepingComputer is aware that the gang has also been deploying HelloKitty/Five Hands ransomware as part of their attacks.
Vice Society will also skip the ransomware deployment stage in some attacks, with the operators opting for stealing sensitive data from their victims’ networks and extorting them under the threat of leaking the stolen files online.
“In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data,” the company said.
“The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities.”
Targets set on U.S. schools
Vice Society is a threat group active since at least early June 2021, known for deploying multiple ransomware strains on their victims’ networks, such as Hello Kitty/Five Hands and Zeppelin ransomware.
They also exfiltrate data from compromised systems before encryption and use it for double extortion, threatening victims to leak it online if their ransom demands aren’t met.
One of the group’s most recent victims is Los Angeles Unified (LAUSD), the second-largest school district in the United States.
Another high-profile education sector victim is the Austrian Medical University of Innsbruck which had to reset all 3,400 students’ and 2,200 employees’ account passwords following severe IT service disruption.
In November, a group of U.S. Senators urged the Departments of Education and Homeland Security to strengthen cybersecurity protections at K-12 schools so that they can keep up with this ongoing wave of ransomware attacks.
Last month, the FBI and CISA also warned in a joint advisory that the Vice Society group disproportionately targets the U.S. education sector.