Skip to content
Ransomware group

Vice Society

Vice Society is a human-operated ransomware operation active since at least June 2021 that uses double extortion, stealing victim data and threatening to leak it in addition to encrypting systems.

Profile source: Mallory opens in a new tab

Vice Society

Family profile

Vice Society is a human-operated ransomware operation active since at least June 2021 that uses double extortion, stealing victim data and threatening to leak it in addition to encrypting systems. Reporting in the provided content links it to repeated targeting of healthcare and education organizations, with additional targeting of manufacturing and other enterprises; cited activity includes attacks in Brazil, Argentina, Switzerland, and Israel, and claimed victims such as school districts. Secureworks tracks the associated criminal operation as Gold Victor, and multiple sources discuss a possible transition or affiliate shift from Vice Society to Rhysida, although at least one source states there is not definitive proof of a full rebrand.

The content states that Vice Society initially deployed third-party ransomware payloads including Hello Kitty/Five Hands, Zeppelin, RedAlert, and others, but later developed a custom variant. Trend Micro reported a custom-built Vice Society ransomware builder and identified a sample as Ransom.Win64.VICESOCIETY.A; another report says the group created its own custom variant dubbed PolyVice in late 2022. Infection vectors and access methods mentioned in the content include exploitation of PrintNightmare, exploitation of public-facing websites, compromised RDP credentials, valid VPN credentials without MFA, phishing, and in at least one related intrusion cluster exploitation of ZeroLogon (CVE-2020-1472).

Observed tooling and behavior include Cobalt Strike, Rubeus, Mimikatz, PowerShell, PortStarter, SystemBC, PsExec, PuTTY/SSH, Advanced IP Scanner/Advanced Port Scanner, AnyDesk, 7zip, WinSCP, MegaSync, secretsdump, and ntdsutil-based dumping of ntds.dit. The content also states Vice Society actors used a custom, fully automated PowerShell data-exfiltration script. Reported actions during intrusions include disabling Windows Defender via registry changes, creating hidden administrator accounts, credential dumping, extensive RDP-based lateral movement, terminating security, backup, SQL, and business-critical processes, exfiltrating large volumes of data, deleting shadow copies with vssadmin.exe Delete Shadows /All /Quiet, clearing event logs, and deleting RDP/terminal-services traces.

Reported file and ransom-note artifacts include encrypted-file extensions .v1cesO0ciety and .vicesociety, ransom notes named AllYFilesAE and "!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt", and contact emails 876505846904@onionmail[.]org, 316186524106@onionmail[.]org, and v-society.official@onionmail[.]org. One report also notes a case using a binary named svchost.exe and appending "vs_team." Virtualized environments including Microsoft Hyper-V were reported affected. Overall, the content portrays Vice Society as an adaptable ransomware threat that evolved from using leased payloads to custom ransomware while maintaining data theft, enterprise intrusion, and multi-sector extortion operations.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • Advanced IP Scanner
  • Advanced Port Scanner

Exfiltration

  • MEGA
  • RClone
  • WinSCP

LOLBAS

  • Minidump
  • NTDS Utility (ntdsutil)
  • PsExec
  • WMIC

Networking

  • Proxychains

Offsec

  • Cobalt Strike
  • Impacket
  • PowerShell Empire
  • PowerSploit

RMM Tools

  • PowerAdmin

MITRE ATT&CK

Vice Society in ATT&CK

16 distinct techniques

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.