Ransomware gang Vice Society has claimed responsibility for an attack that shut down card payment machines in 600 UK branches of the Dutch supermarket chain Spar. It is the latest in a string of hacks claimed by the gang, which has been noted for its willingness to target critical public infrastructure such as schools and hospitals.
Vice Society and the Spar hack
Last month, a ransomware attack on James Hall and Company, which provides wholesale and IT services to Spar in the UK, took down card machines in 600 stores and forced some to close their doors.
At the end of December, Vice Society claimed responsibility for the attack on its homepage on the dark web. The group listed its “partners” as “Spar, James Hall and Company and Heron and Brearly,” the latter being Spar’s other wholesale providers in the UK and Isle of Man.
While there is little detail of the hack itself, the fact that stolen data has reportedly appeared on the dark web suggests that no ransom was paid, says Steve Forbes, head of cyber product at Nominet. “Spar obviously had good continuity plans in place that enabled it to keep the rest of the business running,” adds Forbes, noting that only a handful of branches had to close.
What is Vice Society?
Vice Society was first spotted carrying out attacks in mid-2021, and the gang has been noted for its ruthless behaviour. “They don’t seem to have any ethics or morals in terms of who they’re targeting,” says Forbes. The group has claimed responsibility for attacks on several school districts, including the Manhasset Union Free School District in Long Island and healthcare providers such as the United Health Centers of San Joaquin Valley, California.
Vice Society appears to possess a high level of technical skill, with its malware being able to remain in systems undetected. “We have observed them being careful to disable and wipe system logs to help hide their traces during their attacks” explains Martin Lee, technical lead of security research at security company Cisco Talos.
The group’s previous attacks may shed some light on how the Spar hack was conducted, says Forbes. “There’s certainly the indication that they’ve used the PrintNightmare vulnerability, that seems to be their default method of entry,” he says.
The PrintNightmare vulnerability is a Windows print spooler remote code execution vulnerability that appeared in the second half of 2021. “Vice Society is one of a small number of ransomware groups who have been observed using the PrintNightmare vulnerability from early August 2021,” says Chris Morgan, senior cyber threat intelligence analyst at security company Digital Shadows. “The group uses the exploit to gain additional privileges once they have compromised a target’s network. We can only assume that is what has happened in (the case of Spar) as well.”
Although Vice Society was first spotted by researchers last year, it is thought to be strongly connected to an established ransomware group called HelloKitty, and could even be a reincarnation of the group. HelloKitty has been active as recently as December, and the FBI believes the gang is based in Ukraine.
“They [Vice Society] are allegedly linked to the HelloKitty ransomware group, based on similarities with some of their encryption modules,” Digital Shadows’ Morgan says. Forbes agrees: “I know they’ve been linked to HelloKitty because they have very similar tools and processes that they use to infiltrate networks and to spread laterally,” he adds.