Check Point Research threat researchers have discovered tactical similarities between the Rhysida and Vice Society ransomware groups and their targets in the education and healthcare sectors. The experts noted that with a medium degree of certainty, the operators of Vice Society are currently using Rhysida ransomware in their campaigns.
The Vice Society group (Storm-0832), active since May 2021, uses pre-built ransomware binaries sold on hacker forums in their ransomware attacks. Initial network access is gained through compromised credentials or the exploitation of privilege escalation vulnerabilities.
For its part, the Rhysida ransomware group, first discovered in May 2023, uses phishing and Cobalt Strike to compromise target networks and deploy payloads.
Rhysida hackers perform lateral movements using Remote Desktop Protocol (RDP) and remote PowerShell sessions, and ransomware payloads are deployed using the Windows tool PsExec. Command and Control (C2) operations are achieved using the SystemBC backdoor and remote management tools such as AnyDesk.
In particular, attack chains by groups continually purge logs and forensic artifacts to hide the traces of the hack, and change the entire domain password to thwart remediation efforts.
Activity of the groups Vice Society and Rhysida.
According to Check Point, there is a clear relationship between the appearance of Rhysida and the disappearance of Vice Society. The experts highlighted the use of the legitimate NTDSUTil command line tool, the creation of local firewall rules to communicate with the C2 server via SystemBC, and the use of the PortStarter tool, used exclusively by Vice Society.
Since Rhysida first appeared in May 2023, the Vice Society has only posted 2 victims on their leak site. It is likely that the victims knew each other previously, but did not publicize each other until June. Vice Society hackers stopped posting on the leak site as of June 21, 2023.
Another important indicator is the consistency in the victimology of cybercrime. Both Rhysida and Vice Society target the education sector, accounting for 32% and 35% of all attacks, respectively.
From the use of remote management tools like AnyDesk to the deployment of ransomware via PsExec, the researchers observed that the TTPs of group members remain largely unchanged.
We previously wrote that, according to a report by Palo Alto Networks Unit 42, Vice Society attacked 33 educational institutions in 2022, more than any other ransomware. Palo Alto Networks called Vice Society “one of the most influential ransomware groups of 2022.” In all, the group targeted companies in the healthcare, government, manufacturing, retail and legal services sectors.
CyberSec84 | Cybersecurity news. 
Leave a comment