top of page
Search

Vice Society Ransomware Gang Uses PowerShell-based Tool for Data Exfiltration



According to researchers at Palo Alto Networks Unit 42, the Vice Society ransomware gang has been using a bespoke PowerShell-based tool to automate the process of exfiltrating data from compromised networks. This tool allows the threat actors to fly under the radar and avoid detection. The group, which is also known as DEV-0832, emerged on the scene in May 2021 and is known for its extortion-focused hacking. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyVice, which implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The cybersecurity firm said the overall design of the tool demonstrates a "professional level of coding." Threat actors are always looking for new ways to avoid detection and automate their attacks. In the case of the Vice Society ransomware gang, they have been using a PowerShell-based tool to exfiltrate data from compromised networks. This tool allows the threat actors to fly under the radar and avoid detection. The group, which is also known as DEV-0832, emerged on the scene in May 2021 and is known for its extortion-focused hacking. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyVice, which implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The cybersecurity firm said the overall design of the tool demonstrates a "professional level of coding." As this shows, threat actors are always looking for new ways to avoid detection and automate their attacks. This particular group has been using a PowerShell-based tool to exfiltrate data from compromised networks. This tool allows the threat actors to fly under the radar and avoid detection. The group, which is also known as DEV-0832, emerged on the scene in May 2021 and is known for its extortion-focused hacking. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyVice, which implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The cybersecurity firm said the overall design of the tool demonstrates a "professional level of coding." As this shows, threat actors are always looking for new ways to avoid detection and automate their attacks. This particular group has been using a PowerShell-based tool to exfiltrate data from compromised networks. This tool allows the threat actors to fly under the radar and avoid detection. The group, which is also known as DEV-0832, emerged on the scene in May 2021 and is known for its extortion-focused hacking. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyVice, which implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The cybersecurity firm said the overall design of the tool demonstrates a "professional level of coding." As this shows, threat actors are always looking for new ways to avoid detection and automate their attacks. This particular group has been using a PowerShell-based tool to exfiltrate data from compromised networks. This tool allows the threat actors to fly under the radar and avoid detection. The group, which is also known as DEV-0832, emerged on the scene in May 2021 and is known for its extortion-focused hacking. In December 2022, SentinelOne detailed the group's use of a ransomware variant,

コメント


bottom of page