Executive Summary

  • Vice Society is a relatively new Russian-speaking hacking group that arose in the summer of 2021 with the motive of intrusion, exfiltration, and extortion which made headlines all around 2022.

  • They employ a double extortion scheme, stealing data from victim networks before encryption and threatening to publish the data on the dark web unless a ransom is paid.

  • Vice Society has been observed using various ransomware variants throughout their campaigns, exploiting vulnerabilities like PrintNightMare and leveraging LOLBINS such as WMI, but in their latest campaign, they deployed their own distinct malware variant.

  • In 2022, Vice Society was the largest attacker in the education sector as reported by Malwarebytes.

  • Vice Society, as of May 2023, is currently under the top 10 active ransomware groups, with no indication of slowing down their activities.

Swachchhanda Shrawan Poudel
Swachchhanda Shrawan Poudel

Security Research

Share This Story


Since its initiation in 2021, Vice Society has been making headlines after making continuous high-profile targeted attacks on Education and healthcare sectors. Institutions from the US and Europe have been victims of Vice Society which includes major ransomware attacks on the Los Angeles Unified School District. They reportedly exploit PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) in their campaigns.

Allegedly a Russian-speaking group, Vice Society's operators utilize a double extortion scheme, which involves the addition of new victims to their anonymized leak site and exposing exfiltrated data. They offer an active infrastructure to maintain their illegal activities. In the initial days, they were seen utilizing a range of ransomware that's sold on Dark Web Markets, including HelloKitty/FiveHands, Zeppelin Ransomware, and BlackCat rather than their own unique malware. Researchers have been able to identify the specific ransomware family used in each attack based on the email address used in the ransom notes left behind and from the ransomware analysis.

Vice Society Banner (Source: Malwarebytes)

In December 2022, Sentinel Labs detects Vice Society using their own first custom-branded ransomware and named it “PolyVice“. Recently in April 2023 Palo Alto Unit 42, also observed them using their custom-built and stealthy Powershell script for exfiltration and extortion purposes. Vice Society has been known to mostly target critical infrastructure by compromising their systems and demanding a ransom in exchange for the release of their data. According to TrendMicro, they also observed vice society targeting manufacturing industries. As per the CISA report, The education sector is the most targeted sector among others. In fact, in 2022, Vice Society was the largest attacker in the education sector as reported by Malwarebytes.

The following presents some of the techniques that we uncovered during our analysis.

**All new detection rules are available as part of Logpoint’s latest release, as well as through the Logpoint Help Center. (https://servicedesk.logpoint.com/hc/en-us/articles/115003928409).

Logpoint Emerging Threats Protection Service provides the service subscribers with the customized investigation and response playbooks, tailored to your environment. Contact the Global Services team here.