Today we have launched our first Ransomware Spotlight: a threat intelligence bulletin derived from our visibility into the dark web.
Introducing: Ransomware Spotlight
Through Ransomware Spotlight we will be regularly publishing our own analysis on emerging trends, whether it is a particular group, tactic, or targeted industry. You can sign up here.
The first bulletin in our series – published today – is on Vice Society, a prolific ransomware group that has gained notoriety in recent months for its attacks on the education sector in particular. Through an investigation into dark web traffic to and from infrastructure linked to Vice Society’s historic victims, Searchlight Cyber analysts have identified a pattern of activity that they assess to be precursors to attacks. Combining this data with Open Source Intelligence (OSINT) on Vice Society’s attacks, we assess with medium confidence that this dark web traffic is related to the attack.
Uncovering Vice Society’s Dark Web Footprint
Searchlight Cyber researchers undertook historic dark web traffic analysis on infrastructure related to known Vice Society victims to identify whether indicators of attack could be identified in connections to the dark web network The Onion Router (Tor).
The brief we have published today relates to victims that were listed on Vice Society’s leak site and whose attacks have already been reported in the public domain: Grand Valley State University, Pilton Community College, and Los Angeles Unified School District.
Examining dark web network traffic across these three victims demonstrates a consistent pattern of activity for Vice Society Attacks: a spike in dark web network traffic one to three weeks prior to the victim being listed on the Vice Society leak site. Searchlight analysts also observed that traffic is directed to victims’ public facing websites or portals, consistent with Vice Society’s use of website CVEs to gain initial access.
Using Dark Web Traffic Data
This analysis supports further investigation of dark web traffic as a threat intelligence source to determine whether other ransomware and threat groups have similar “fingerprints” that could help the security industry to create profiles that help organizations to detect attacks and identify the perpetrators.
Further analysis of the dark web traffic data of Vice Society victims could help inform:
- Incident response efforts – by establishing a clear timeline of initial access and reconnaissance.
- Threat intelligence – by contributing supporting data on the group’s Tactics, Techniques and Procedure (TTPs), such as the use of CVEs and targeting of public websites.
- Detection – with continuous analysis of dark web networks providing early warning of Vice Society’s initial access and reconnaissance. By identifying its unique fingerprint, defenders could not only identify that they are being attacked but also who is attacking them, helping to inform mitigation efforts based on a group’s playbook.