Same threats, different ransomware
Credit to Author: gallagherseanm| Date: Sat, 11 Nov 2023 02:47:12 +0000
In the world of Ransomware-as-a-Service (RaaS), there are now dozens of affiliate groups using the same ransomware families and switching between the variants they deploy. Taking this kind of attacker flexibility into account, Sophos X-Ops aims to track and cluster threat activity to help us determine a pattern of attacker behavior, independent of the ransomware variant deployed. In a recent blog post, we identified a Threat Activity Cluster (TAC) deploying several different ransomware variants, including Hive, Black Basta, and Royal ransomware, over a period of several months while leveraging the same pattern of TTPs in the various intrusions.
Further exhibiting the benefit of clustering attacker behavior, this post highlights a similar clustering case, in which we identified a ransomware affiliate group move from deploying Vice Society to leveraging Rhysida ransomware in attacks against enterprises. Despite the shift in the ransomware variants deployed, the group’s core Tools, Tactics, and Procedures (TTPs) remain consistent:
- Establishing a connection to the network through a compromised VPN account without multi-factor authentication (MFA) enabled
- Employing tools such as SystemBC, PortStarter, and occasionally Cobalt Strike
- Leveraging applications like Advanced Port/IP Scanner, AnyDesk, PuTTY, and MegaSync
- Performing data collection with 7zip and exfiltration via MegaSync, WinSCP, and custom PowerShell scripts
- Exploiting vulnerabilities like ZeroLogon, along with leveraging tools like Secretsdump and dumping the ntds.dit database in folder temp_l0gs
- Utilizing RDP for lateral movement and PSExec for distributing the ransomware binary
Incident Overview
We base the analysis in this post on data from six sample cases, shown in the following table:
Background
Sophos tracks this cluster of attacker behavior as TAC5279, which overlaps with the activity cluster tracked by Microsoft as Vanilla Tempest (formerly DEV-0832). Sophos first observed an incident involving this activity cluster in November 2022, targeting a customer in the government logistics sector with Vice Society ransomware. Sophos continued to see this threat actor deploy Vice Society ransomware against organizations in education, manufacturing, and logistics, up until June 2023, when Sophos detected the same threat actor deploying Rhysida ransomware against two different organizations in the logistics and education sectors.
First arriving on the scene in the summer of 2021, Vice Society is a prolific ransomware family that gained infamy for its disproportionate targeting of the Education sector in the second half of 2022. On the other hand, Rhysida is a ransomware-as-a-service (RaaS) group that became active in May 2023 and has become known for damaging attacks targeting government, education, and most recently several healthcare organizations.
Previous reports by PRODAFT and Check Point Research have indicated a connection between Vice Society and Rhysida, and have both shared hypotheses on the nature of the association between the two groups. In this blog, we offer further evidence suggesting Vice Society operators have pivoted to using Rhysida ransomware. Notably, according to the ransomware group’s data leak site, Vice Society has not posted a victim since July 2023, which is around the time Rhysida began reporting victims on its site (Figure 1).
Figure 1: Weekly tallies for leaksite posts for Vice Society and Rhysida between January 2022 and October 2023; note the period of overlap in late June / early July
TTPs
In the following section, we detail commonly used TTPs by TAC5279 observed in Sophos Rapid Response and Managed Detection and Response (MDR) cases. Figure 2 provides a granular look at how the observed artifacts map to MITRE’s ATT&CK matrix.
Figure 2: Plugging indicators of compromise into ATT&CK
Initial Access
In all six of the observed incidents, the threat group leveraged valid credentials to access the organizations’ VPNs, which did not have MFA enabled. It’s unclear where the attackers obtained the valid credentials, but we presume they obtained them elsewhere prior to the event, perhaps purchased from an Initial Access Broker (IAB).
The threat actors spent varying amounts of dwell times inside the various networks before deploying the ransomware binary, with the quickest dwell time being four days. However, the threat actors were not focused on a quick in-and-out in all the incidents and even dwelled in one environment for more than three months before deploying ransomware.
In this prolonged incident (Incident 2 in the table above), Vice Society operators first gained access to the network via valid VPN credentials in late October 2022 and immediately executed a Zerologon exploit against the organization’s domain controller using the Mimikatz tool. Zerologon is a critical-severity privilege escalation vulnerability in Microsoft’s Netlogon Remote Protocol (CVE-2020-1472, patched 11 August 2020), which attackers can exploit to gain administrative access to a Windows domain controller without any authentication – effectively giving them control over the network. Following the Zerologon exploit, the attacker appeared to go dormant for a period of roughly three months before evidence of lateral movement began in early February 2023.
Lateral Movement
In almost all the observed incidents, the threat actors used Remote Desktop Protocol (RDP) to move laterally throughout the organizations’ environments. In one Rapid Response case, the attackers used RDP to move laterally more than three hundred times throughout the network during the attack.
While RDP appeared to be the actor’s primary approach to lateral movement, they were also observed leveraging PuTTY to connect to other devices in the network via SSH, as well as PsExec (C:s$PsExec.exe). In most cases, the attackers dropped the binary into the network in a tactic known as “Bringing-Your-Own-Binary” (BYOBins) rather than leveraging native Living-Off-the-Land Binaries (LOLBins). The Sophos detection in this situation is:
C:Users<user>AppDataLocalTemp9putty.exe
The attackers were commonly observed using Advanced Port Scanner and Advanced IP Scanner to identify additional devices within the network to which they could move laterally. Common discovery commands and executables were also observed, such as whoami, nltest.exe /dclist, quser.exe, query.exe, net.exe, and tracert.exe.
Credential Access
In several of the cases, the threat actor dumped the Active Directory database (ntds.dit) on the domain controller to harvest password hashes for accounts in the domain. They used ntdsutil.exe to create a full backup of ntds.dit in the folder temp_l0gs. The following command was observed in multiple compromises:
powershell.exe ntdsutil.exe "ac i ntds" ifm "create full c:temp_l0gs" q q
Microsoft previously reported the same PowerShell command being leveraged in Vice Society compromises by this cluster (DEV-0832). Sophos also observed the attackers using ‘secretsdump.exe’ to dump user credentials from Active Directory, as well as performing LSASS memory dumps.
Command-and-Control (C2)
The threat actors were observed using a variety of backdoors and legitimate tooling for persistence throughout all the intrusions.
PortStarter
In several of the cases, the threat actors deployed the PortStarter backdoor to establish C2 communications. PortStarter is malware written in Go that has the functionality to change Windows firewall settings, open ports, and connect to pre-configured C2 servers. As noted in reporting, PortStarter is commonly categorized as a commodity tool, but reports have noted the backdoor to be closely linked to Vice Society actors. Sophos customers are protected from this activity by memory protection Mem/GoPort-A against the PortStarter backdoor.
To execute the PortStarter backdoor, the attackers were observed creating a scheduled task called ‘System’ for persistence to run C:UsersPublicmain.dll:
C:Windowssystem32schtasks.exe /create /sc ONSTART /tn System /tr “rundll32 C:UsersPublicmain.dll Test” /ru system
Similarly, the threat actors were also observed creating a scheduled task called ‘SystemCheck for persistence to run a PortStarter DLL (C:ProgramDataschk.dll).
C:WindowsTaskswindows32u.dll C:WindowsTaskswindows32u.ps1
Over the course of several cases PortStarter backdoor was observed in different file paths reaching out to the following IPs:
C:WindowsSystem32configmain.dll | 96.62.58 70.104.249 77.102.106 |
c:userspublicmain.dll | 62.141.161 |
C:ProgramDataschk.dll | 154.194.6 |
SystemBC
First seen in 2019, SystemBC is a proxy and remote administrative tool that quickly evolved into a Tor proxy and remote control tool favored by actors behind high-profile ransomware campaigns.
While operating as Vice Society, the threat actor consistently employed SystemBC and PortStarter for C2 activity. Since their transition to the name Rhysida Ransomware, SystemBC has become their primary method for C2, and PortStarter has not yet been observed in any subsequent activities.
In both Vice Society and Rhysida cases, Sophos detected SystemBC PowerShell scripts named svchost.ps1 that create persistence of itself at:
HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun -name socks
This SystemBC activity is detected by Sophos as Troj/PSDl-PQ, and Sophos also employs memory protection mem/sysbrat-a to protect against SystemBC activity.
AnyDesk
Dual-use agents and remote desktop applications like AnyDesk are highly popular among ransomware threat actors and oftentimes blend into the network as expected activity. Other commonly seen dual-use agents for remote access include TeamViewer, Splashtop, and Connectwise; however, TAC5279 primarily leverages AnyDesk as its tool of choice. Application control policies can mitigate the risk of dual-use agent abuse.
In several incidents, the threat actors were observed running the following commands to automate the installation of AnyDesk on multiple systems within a network:
"C:Windowssystem32cmd.exe" /c C:ProgramDataAnyDesk.exe --install C:ProgramDataAnyDesk --start-with-win –silent
Exfiltration
The threat actors were observed attempting to collect and exfiltrate data prior to ransomware deployment in nearly all the incidents, illustrating the group’s prioritization of data for double-extortion purposes. In many cases, they attempted to exfiltrate several hundreds of gigabytes of data from the networks. Though the actors used various methods for exfiltration, there were a few common observations.
The threat actors frequently downloaded WinSCP, 7zip, and MegaSync.
- winscp-5.17.10-setup.exe
- 7z2201-x64.exe
- MEGAsyncSetup64.exe
In several cases, the threat actors leveraged a PowerShell data exfiltration script.
- <VICTIM_DOMAIN>.LOCALs$w.ps1
- C:s$p1.ps1
The script reads all the available drives and files via WMI and contains two lists named “$includes“ and “$excludes“ that indicate the strings that should be included/excluded from the scan. All this is done to upload files of specified extension and folders on the embedded URI in the following format:
<C2_IP>/upload?dir=<VICTIM>.LOCAL%2f<VICTIM>.LOCAL/$machineName/$drive/$fullPath
Deployment
In both Vice Society and Rhysida incidents, we observed WinSCP being downloaded during the data collection stage and then later being used to write ransomware binaries to disk.
In one case, we detected and cleaned a Vice Society Linux ransomware encryptor as it was transferred into the targets network (Linux/Ransm-W), blocking the intrusion activity.
Vice Society Ransomware uses the file extension .vicesociety and creates an extortion note named:
!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt
In the incident with the exceptionally long dwell time, we observed the actors use a ransomware file named svchost.exe to encrypt files, append them with the extension “vs_team”, and drop a ransom note named “AllYFilesAE” after exfiltrating 770GB of data from the network. The threat actors also encrypted the organization’s backups to inhibit them from recovering their network to a prior working state.
In the later cases we observed, Rhysida Ransomware used the file extension .rhysida and changed to a more “professionally” formatted extortion note:
- CriticalBreachDetected.pdf
This is a commonly reported ransomware note file name for Rhysida ransomware, which is known to hard code the PDF content of the ransom note file into the binary and drop it into each directory.
Conclusion
Though our analysis of these intrusions illustrates a logical correlation between the rise of Rhysida and the dissolution of Vice Society, we do not currently have evidence that confirms that Vice Society has “rebranded” as Rhysida or that Vice Society operators only use Rhysida now. However, we can assert with high confidence that the TAC5279 affiliate group has transitioned to deploying the Rhysida ransomware variant in lieu of Vice Society, while maintaining many of the same tactics in attacks across organizations. Though there is some variation in the cases we’ve observed, the similarities in initial access tactics, the use of PortStarter and SystemBC, and the same credential dumping techniques across incidents point to this being a single evolving Threat Activity Cluster.
TAC5279 is an active threat group that poses a ransomware threat to organizations across multiple sectors and regions, especially to those in the education and healthcare sectors. Rhysida ransomware variants are reported to be under active development, indicating the group will likely continue to leverage the family in compromises.
Many aspects of the TTPs we observed are common across the cybercriminal threat landscape and can be leveraged to deploy a range of ransomware variants. Ransomware affiliates commonly shift between the ransomwares they use, thus highlighting the importance of tracking the entire attack chain behavior rather than solely the deployment of the ransomware payload itself. Sophos continues to cluster attacker behavior to generate actionable intelligence, form effective detections, and more quickly identify malicious activity before ransomware is deployed.
To minimize the threat posed by these groups, we recommend the following steps be taken by organizations:
- Turn on Multi-Factor Authentication (MFA). One of the key overlapping characteristics of Vice Society and Rhysida incidents was a lack of MFA for VPN access into the network. Enabling MFA for VPN access is a critical security control in preventing ransomware compromises by threat actors such as this.
- Enable application control. Application control polices can block unwanted dual-use agents like AnyDesk, WinSCP, PuTTY, and MegaSync. Well defined policies should be used to limit usage of these programs to dedicated user groups.
Indicators of Compromise
A list of relevant IoCs is posted to our GitHub repository.