Dev-0832

Dev-0832 is a malicious software (malware) that has been observed in multiple compromises, notably impacting the US education sector. The malware infiltrates systems via suspicious downloads, emails, or websites, and once installed, it can steal personal information, disrupt operations, or hold data hostage for ransom. A specific command "powershell.exe ntdsutil.exe 'ac i ntds' ifm 'create full c:\temp_l0gs' q q" has been identified in numerous breaches associated with Dev-0832. Microsoft reported this PowerShell command being leveraged in Vice Society compromises by the same cluster, highlighting its widespread use. There is an evident correlation between the activities of Vice Society (identified as DEV-0832) and the deployment of Rhysida ransomware. This connection was drawn after observing similar patterns of compromise and exploitation. Rhysida ransomware is known for its destructive capabilities, making this link particularly concerning for targeted sectors. Open source reporting has confirmed similarities between Vice Society (DEV-0832) activity and the actors deploying Rhysida ransomware. Furthermore, there is evidence that Rhysida actors operate in a ransomware-as-a-service (RaaS) model. In this model, ransomware tools and infrastructure are leased out, allowing other malicious actors to carry out attacks under a profit-sharing agreement. This revelation underscores the sophisticated nature of these cyber threats and the need for robust cybersecurity measures.