Vice Society

Vice Society is a ransomware operation first discovered in June 2021 that conducts double-extortion attacks, stealing victim data and threatening to leak it in addition to encrypting systems. Reporting in the provided content links it to attacks against healthcare, education, manufacturing, government/logistics, logistics, and other enterprise environments, with activity observed in countries including Brazil, Argentina, Switzerland, and Israel. It has been notably associated with attacks on schools and healthcare organizations, and one source notes claims against the Los Angeles School District and other educational institutions.

The group initially deployed third-party ransomware payloads including HelloKitty/Five Hands, Zeppelin, RedAlert, and later was reported to have developed custom ransomware, including a Trend Micro-tracked variant detected as Ransom.Win64.VICESOCIETY.A and a custom variant dubbed PolyVice. Secureworks tracks the broader criminal operation as Gold Victor. Multiple sources also state that an affiliate cluster later moved from deploying Vice Society to Rhysida while maintaining similar tradecraft, although the content does not establish that Vice Society itself definitively rebranded.

Observed initial access methods in the content include exploitation of the PrintNightmare vulnerability, exploitation of public-facing websites, abuse of compromised RDP credentials, valid VPN credentials without MFA, phishing, and in at least one case exploitation of ZeroLogon (CVE-2020-1472). Post-compromise activity includes use of Cobalt Strike, Rubeus, Mimikatz, PowerShell, PsExec, PuTTY/SSH, Advanced IP Scanner/Advanced Port Scanner, AnyDesk, WinSCP, MegaSync, 7zip, PortStarter, and SystemBC. Reported behaviors include disabling Windows Defender via registry changes, creating hidden administrator accounts, credential dumping including ntds.dit extraction and LSASS dumping, lateral movement over RDP, terminating security, SQL, backup, and business-critical processes, exfiltrating files, deleting shadow copies with vssadmin.exe Delete Shadows /All /Quiet, clearing event logs, and deleting RDP/terminal services traces.

File-encryption artifacts described in the content include the extensions .v1cesO0ciety and .vicesociety. Reported ransom notes include AllYFilesAE, !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt, and contact addresses 876505846904@onionmail[.]org, 316186524106@onionmail[.]org, and v-society.official@onionmail[.]org. One Sophos case also noted a ransomware binary named svchost.exe and an appended marker vs_team. Additional infrastructure and tooling noted in the content include Cobalt Strike communication with 57thandnormal[.]com and PortStarter C2 IPs 156.96.62[.]58, 146.70.104[.]249, 51.77.102[.]106, 108.62.141[.]161, and 157.154.194[.]6. Trend Micro also observed the Neshta file infector during Vice Society attack activity. Virtualized environments, including Microsoft Hyper-V servers, were reported as affected.