Vice Society Encrypted File Extension File Creation
Detects creation of potentially-encrypted files by Vice Society ransomeware. As this is based only on file extensions, the analyst should investigate surrounding activity to validate that this is not part of a benign applicatoin.
Sigma rule (View on GitHub)
1title: Vice Society Encrypted File Extension File Creation
2id: ba85a1ba-a194-4f03-9064-0c53da092698
3status: experimental
4description: Detects creation of potentially-encrypted files by Vice Society ransomeware. As this is based only on file extensions, the analyst should investigate surrounding activity to validate that this is not part of a benign applicatoin.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
7 - https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
8author: Micah Babinski
9date: 2022/11/26
10tags:
11 - attack.impact
12 - attack.t1486
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|endswith:
19 - '.locked'
20 - '.vs0ciety'
21 - '.v-society'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high```
References
-
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.
Read More -
Summary Actions to take today to mitigate cyber threats from ransomware: • Prioritize and remediate known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enabl...
Read More
Related rules
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- WMIC Shadow Copy Deletion