Microsoft detects opportunistic ransomware campaigns impacting global education sector

Microsoft has identified active ransomware and extortion campaigns by a threat actor it tracks as DEV-0832, also known as Vice Society. While the cybercriminal group's previous opportunistic attacks have affected various industries, the latest attacks between July and October 2022 have heavily impacted the education sector, particularly in the United States.

In several cases, Microsoft assesses that DEV-0832 did not deploy ransomware, instead, the threat actors appeared to exfiltrate data and dwell within compromised networks. It sometimes avoids a ransomware payload in favor of simple extortion - threatening to release stolen data unless a payment is made.

According to the Microsoft Security Threat Intelligence researchers, DEV-0832 deployed multiple commodity ransomware variants over the past year including BlackCat, QuantumLocker, Zeppelin. Its latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked.

In one intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker binaries, followed by another attempt to deploy suspected Zeppelin ransomware binaries within five hours. This, according to Microsoft, might suggest that the group maintains multiple ransomware payloads and switches depending on target defenses or, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own preferred ransomware payloads for distribution.

"The shift from a ransomware as a service (RaaS) offering (BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates DEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or post-ransomware extortion opportunities," Microsoft wrote in a blog post on Tuesday.

Additionally, the cybercriminal group has cross-platform capabilities - Microsoft security researchers identified the deployment of a Vice Society Linux Encryptor on a Linux ESXi server.

Microsoft observed that DEV-0832 relies on misusing legitimate system tools like Windows Management Instrumentation Command-line (WMIC), Impacket's WMIexec functionality, vssadmin command and more to reduce the need to launch malware or malicious scripts that automated security solutions might detect.

Microsoft's blog also highlights mitigations to reduce the impact of this threat.