Security News > 2023 > April > Vice Society ransomware uses new PowerShell data theft tool in attacks
![Vice Society ransomware uses new PowerShell data theft tool in attacks](/static/build/img/news/vice-society-ransomware-uses-new-powershell-data-theft-tool-in-attacks-medium.jpg)
The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.
Stealing corporate and customer data is a standard tactic in ransomware attacks for use as further leverage when extorting victims or reselling the data to other cybercriminals for maximum profit.
Vice Society's new data exfiltrator is fully automated and uses "Living off the land" binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.
The new data theft tool was discovered by Palo Alto Networks Unit 42 during an incident response in early 2023, when the responders recovered a file named "w1.ps1" from a victim's network and, more specifically, referenced in an Event ID 4104: Script Block Logging event.
The script uses PowerShell to automate data exfiltration and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill().
Vice Society's new data exfiltration script uses "Living off the land" tools to evade detection from most security software and features multi-processing and process queuing to keep its footprint small and its activity stealthy.
News URL
Related news
- Ascension: Health data of 5.6 million stolen in ransomware attack (source)
- Clop ransomware threatens 66 Cleo attack victims with data leak (source)
- French govt contractor Atos denies Space Bears ransomware attack claims (source)
- Casio says data of 8,500 people exposed in October ransomware attack (source)
- Preventing the next ransomware attack with help from AI (source)
- Ransomware on ESXi: The mechanization of virtualized attacks (source)
- OneBlood confirms personal data stolen in July ransomware attack (source)
- Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M (source)
- Medusa ransomware group claims attack on UK's Gateshead Council (source)
- Ransomware attack forces Brit high school to shut doors (source)