Background
Vice Society is a financially motivated ransomware and data extortion group that emerged in mid-2021 and quickly established a pattern of targeting the education sector with unusual persistence. Unlike many ransomware operations that acquire access from initial access brokers or deploy a proprietary locker, Vice Society has deployed multiple third-party ransomware variants over its lifetime, including Hello Kitty/Five Hands, Zeppelin, and later BlackCat/ALPHV and Rhysida variants, indicating the group operates more as an affiliate or operator than a developer.
The group's primary focus on schools, universities, and hospital systems has drawn significant law enforcement attention. CISA, the FBI, and MS-ISAC issued a joint advisory in September 2022 warning the education sector about Vice Society's disproportionate targeting ahead of the 2022-2023 school year. The group has claimed over 100 victims across its data leak site, with the United States, United Kingdom, Australia, and Germany among the most affected countries.
Vice Society operates a data leak site where stolen data is posted when victims refuse to pay. The group is notable for stealing highly sensitive data including student records, medical information, and financial documents before encrypting systems, maximizing pressure on institutions with limited cyber budgets and significant compliance obligations.
Notable Campaigns
Los Angeles Unified School District (2022): Vice Society compromised the second-largest school district in the United States, exfiltrating 500 GB of sensitive data including Social Security numbers, student psychological assessments, and financial records for approximately 640,000 students. After the district refused to pay, the group published the full data set. The attack disrupted network systems district-wide at the start of the 2022 school year.
Cincinnati Children's Hospital (2023): The group targeted one of the top pediatric research hospitals in the United States, claiming access to patient data and research materials. The attack highlighted Vice Society's willingness to target healthcare institutions despite public condemnation of attacks on medical facilities.
European School District Campaign (2022-2023): Vice Society compromised multiple school systems across Germany, Spain, and Italy, demonstrating that their education-sector focus extends well beyond the United States. Smaller European municipalities with limited IT security budgets proved particularly vulnerable to the group's opportunistic intrusion methods.
Rhysida Rebranding Activity (2023-2024): Security researchers at Check Point identified substantial technical and operational overlap between Vice Society and the Rhysida ransomware operation that emerged in 2023, suggesting a likely rebrand or close collaboration. Both groups shared targeting preferences, infrastructure patterns, and TTPs, leading many analysts to treat them as effectively the same actor operating under different names.
Tactics, Techniques & Procedures
Vice Society typically gains initial access through exploitation of internet-facing applications, particularly unpatched VPN appliances, RDP services, and web application vulnerabilities (T1190). The group also uses credential stuffing and spearphishing (T1566.001) against exposed administrative interfaces. They acquire valid credentials (T1078) extensively, often purchasing access from initial access brokers active in the education and healthcare sectors.
Post-compromise, the group prioritizes credential harvesting using Mimikatz and similar tools, followed by internal reconnaissance to map administrative systems and identify backup infrastructure. Vice Society consistently targets and destroys backup systems before deploying ransomware (T1485), severely limiting recovery options for underfunded institutions.
For data exfiltration (T1567.002), the group uses cloud storage services and MEGA to stage and transfer data before encryption. Lateral movement relies heavily on RDP (T1021.001) and legitimate remote management tools. The group has a pattern of disabling security software and clearing event logs to hinder incident response.
Tools & Malware
- SystemBC: SOCKS5 proxy malware used as a persistent backdoor and C2 relay, common in ransomware pre-deployment phases.
- Cobalt Strike: Post-exploitation framework used for lateral movement, credential access, and payload staging.
- PowerShell Empire: Open-source post-exploitation framework used for command execution and persistence.
- Mimikatz: Credential harvesting tool used to extract plaintext passwords and NTLM hashes from Windows memory.
- PCHunter / AdvancedRun: Anti-analysis and process manipulation tools used to disable security software and evade detection.
- NirSoft Utilities: Legitimate system administration tools abused for credential recovery and network enumeration.
- Ransomware Payloads: Third-party lockers including Zeppelin, Hello Kitty, BlackCat/ALPHV, and Rhysida used for encryption.
Indicators & Detection
Detection of Vice Society activity should focus on their pre-ransomware
reconnaissance and backup destruction behaviors. Monitor for unusual access to
backup systems, particularly deletion or modification of Volume Shadow Copies
(VSS) and scheduled backup jobs. Alert on vssadmin delete shadows and
wbadmin delete catalog command execution.
Network monitoring should flag anomalous RDP lateral movement patterns, particularly between workstations that do not normally communicate. Monitor for large-volume data staging in temporary directories and bulk transfers to cloud storage services including MEGA, which Vice Society uses for exfiltration.
Endpoint detection should identify SystemBC proxy traffic (typically on non- standard ports), Cobalt Strike beacon patterns, and the use of PCHunter or similar kernel-level process manipulation tools. Implement application allowlisting on server systems to block unauthorized execution of tools like Mimikatz and AdvancedRun. For education and healthcare organizations specifically, prioritize MFA enforcement on VPN and RDP access as the primary mitigation.