Vice Society Ransomware: Threat group automates data theft using PowerShell scripts

Vice Society is a ransomware gang that has been involved in high-profile activity and are known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware. Vice Society ransomware program encrypts data (renders files inaccessible) and demands ransoms for the decryption (access recovery). An extension of “.v-society.[victim’s_ID]” is added to encrypted files. For instance, a file with the original name “1.jpg” would appear as “1.jpg.v-society.923-C3D-30D”. A ransom note with the filename “!!! ALL YOUR FILES ARE ENCRYPTED!!!.TXT” appears once this operation is finished.

A new, quite complex PowerShell script is recently being used by the Vice Society ransomware gang to automate data theft from vulnerable networks. The script consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill(). These four functions are used to identify potential directories for exfiltration, process groups of directories, and eventually exfiltrate data via HTTP POST requests to Vice Society’s servers. A common strategy used in ransomware attacks is the theft of company and consumer data, which is then sold to other hackers for maximum profit or used as additional pressure when extorting victims.

Before the data is encrypted as the final part of the ransomware attack, Vice Society’s new entirely automated data exfiltrator uses “living off the land” (LOTL) binaries and scripts that are unlikely to set off security software alerts. LOTL attacks allow threat actors to conceal themselves as they carry out their operations by using genuine means for nefarious ends.

Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location.

Vice society ransomware is known to target states and local governments, the manufacturing industry, and financial services in nations including the United States, the United Kingdom, Spain, Brazil, France, Germany, Italy, and Australia.