The Microsoft Security Threat Intelligence team has identified ransomware and extortion campaigns of the cybercrime group Vice Society (detected as DEV-0832) conducted against education sectors globally; the campaigns also affected various industries, including local government and retail sectors. Microsoft found that the group has been shifting payloads from BlackCat, QuantumLocker, and Zeppelin; its latest payload is a Zeppelin variant, including Vice Society-specific extensions.
The cybercrime group has been active since June 2021 and has relied on tactics commonly used by other hackers, such as the 'use of PowerShell scripts, misuse of legitimate tools, exploitation of publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like SystemC'. Microsoft provided in its blog hunting queries for users and guidelines for organisations to enhance their security against such attacks.