Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DFIR Ransomware Project
Category Details References
Actors    
First Observed Summer 2021 1
Threat Actors    
Environment    
Platforms Windows and Linux(ESXi) 2
Artifacts    
Extensions .v-society.XXX-XXX-XXX 3
Ransomware Notes !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT 1
Services it Disables Not automated, but have been observed disabling PowerShell logging, Bypassing AMSI protection for PowerShell 4
Other Observables Modify System Process, Registry Run Keys/Startup Folder, DLL Side-Loading, Scheduled Task/Job 2
Automation    
Automatically Gains Access No. Typically gain access through compromised credentials by exploiting internet-facing applications) 2
Automatically Escalates Privileges Yes (through PrintNightmare vulnerability) 1
Requires Human Interaction Yes 2
Automatic Exfiltration No. Have been seen exfiltrating sensitive information over SMB (TCP/445) directly from a compromised domain controller 4
Automatic Propagation No. Can deliver payloads to shared location 4

Please note, this page was last updated at 2023-03-14 20:21.

  1. https://socradar.io/dark-web-profile-vice-society//  2 3

  2. https://www.cisa.gov/uscert/ncas/alerts/aa22-249a  2 3 4

  3. https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/ 

  4. https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html  2 3