The threat actor known as Vice Society has been conducting ransomware and extortion campaigns against the global education sector, particularly in the US.
The findings come from Microsoft security researchers, who published an advisory about Vice Society (tracked by the tech giant as DEV-0832) on Tuesday.
“Shifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions,” reads the technical write-up.
“In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.”
According to the technology company, Vice Society has been active as early as June of last year.
“While the latest attacks between July and October 2022 have heavily impacted the education sector, DEV-0832’s previous opportunistic attacks have affected various industries like local government and retail,” Microsoft wrote.
Because of these shifting targets, the security researchers have assessed that the group’s motivations are financial in nature, and that the group continues to target companies with weaker security and a higher likelihood of compromise and connected ransom payout.
“Before deploying ransomware, DEV-0832 relies on tactics, techniques, and procedures commonly used among other ransomware actors,” reads the advisory.
These include using PowerShell scripts alongside repurposed legitimate tools, exploits for disclosed vulnerabilities for initial access and elevation of privilege, and commodity backdoors such as SystemBC.
“Ransomware has evolved into a complex threat that’s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years,” Microsoft said.
“To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations.”
The latest Microsoft advisory about Vice Society includes details about the tactics and techniques used across the group’s campaigns. It also includes hunting queries to help customers search their environments for relevant indicators, protection and hardening guidance against similar attacks.
The technical write-up comes weeks after Check Point’s 2022 Mid-Year Report highlighted a 44% increase in cyber-attacks against the education sector worldwide when compared to 2021.