Vice Society Encrypted File Extension File Creation

 1title: Vice Society Encrypted File Extension File Creation
 2id: ba85a1ba-a194-4f03-9064-0c53da092698
 3status: experimental
 4description: Detects creation of potentially-encrypted files by Vice Society ransomeware. As this is based only on file extensions, the analyst should investigate surrounding activity to validate that this is not part of a benign applicatoin.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 7    - https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
 8author: Micah Babinski
 9date: 2022/11/26
10tags:
11    - attack.impact
12    - attack.t1486
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|endswith:
19            - '.locked'
20            - '.vs0ciety'
21            - '.v-society'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high```

References

• https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

  
  Read More

• #StopRansomware: Vice Society | CISA

  Summary Actions to take today to mitigate cyber threats from ransomware: • Prioritize and remediate known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enabl...

  
  Read More

Related rules

• System Shutdown/Reboot - Linux
• System Shutdown/Reboot - MacOs
• Boot Configuration Database (BCD) Manipulation - Registry Modification
• Use of bcdedit to Disrupt Boot Processes
• WMIC Shadow Copy Deletion