Security News > 2023 > April > Vice Society ransomware uses new PowerShell data theft tool in attacks
The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.
Stealing corporate and customer data is a standard tactic in ransomware attacks for use as further leverage when extorting victims or reselling the data to other cybercriminals for maximum profit.
Vice Society's new data exfiltrator is fully automated and uses "Living off the land" binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.
The new data theft tool was discovered by Palo Alto Networks Unit 42 during an incident response in early 2023, when the responders recovered a file named "w1.ps1" from a victim's network and, more specifically, referenced in an Event ID 4104: Script Block Logging event.
The script uses PowerShell to automate data exfiltration and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill().
Vice Society's new data exfiltration script uses "Living off the land" tools to evade detection from most security software and features multi-processing and process queuing to keep its footprint small and its activity stealthy.
News URL
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)