Threat Actor Profile

Vice Spider

Vice Spider is a Russian-speaking ransomware group active since at least April 2021. Known for leveraging identity-based attacks and exploiting vulnerabilities, they primarily use ransomware variants like Zeppelin and Hello Kitty. Their operations often involve double extortion tactics, targeting sectors with limited cybersecurity resources.

Threat Actor Profile

Vice Spider

Country of Origin

Vice Spider is believed to originate from Russia, based on their language and operational patterns.

Members

The exact number of members is unclear. The group is known for its expertise in exploiting Kerberos authentication vulnerabilities, contributing to a 583% rise in Kerberoasting incidents.

Leadership

The leadership structure of Vice Spider remains unknown. However, their operations suggest a highly organized and skilled team.

Vice Spider TTPs

Tactics

Vice Spider focuses on double extortion, combining data encryption with threats to release sensitive information. They disproportionately target the education sector, exploiting its limited cybersecurity defenses.

Techniques

Exploiting vulnerabilities in internet-facing applications (e.g., PrintNightmare).
Using tools like SystemBC, PowerShell Empire, and Cobalt Strike for lateral movement.
Employing "living off the land" techniques, such as leveraging Windows Management Instrumentation (WMI).

Procedures

Initial access through compromised credentials.
Privilege escalation via vulnerabilities like PrintNightmare.
Persistence through scheduled tasks and DLL side-loading.
Evasion using process injection and masquerading.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Frequent ransomware attacks on K-12 schools, exploiting their limited cybersecurity resources.
Leveraging Kerberos vulnerabilities to crack user passwords and escalate privileges.

Law Enforcement & Arrests

No arrests have been reported for Vice Spider members. However, global law enforcement agencies continue to monitor their activities.

How to Defend Against Vice Spider

Implement multifactor authentication to secure accounts.

Regularly update and patch systems, prioritizing known vulnerabilities.

Segment networks to limit lateral movement.

Maintain offline backups of critical data.

Monitor for abnormal activity using endpoint detection and response (EDR) tools.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Vice Spider threats with enterprise-grade technology.

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0

https://malpedia.caad.fkie.fraunhofer.de/actor/vice_spider

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free