Threat Actor Profile
Vice Society
Vice Society, also known as DEV-0832 or Vanilla Tempest, is a notorious ransomware and extortion group first identified in mid-2021. This financially motivated actor has become infamous for targeting educational institutions, healthcare providers, manufacturing entities, and government sectors. Leveraging a double extortion model—encrypting victim data while simultaneously threatening to leak sensitive information—Vice Society has demonstrated a centralized operational structure rather than relying on an affiliate-based model, as seen with other ransomware groups. Below, we present a detailed profile outlining Vice Society’s tactics, techniques, targets, and observed indicators of compromise.
Threat Actor Profile
Vice Society
Country of Origin
The exact origin of Vice Society remains unknown. However, open-source intelligence suggests connections to Russian-speaking or Russian-affiliated hacking environments. Despite these linguistic and behavioral inferences, there is no concrete evidence of state sponsorship or direct ties to nation-state actors. Global attribution remains speculative and inconclusive.
Members
Similar to its leadership, the membership details of Vice Society remain elusive. Current evidence points to a centralized group model, where operations are primarily handled internally rather than through affiliates. Analysts suspect Vice Society employs a small but specialized team that purchases or borrows existing ransomware tools instead of developing proprietary payloads. Observed overlaps between Vice Society and the Rhysida ransomware cluster suggest potential evolution or rebranding within the same operational ecosystem.
Leadership
No confirmed public information regarding the leadership of Vice Society exists. Researchers have yet to identify individual operators, titles, or affiliations within the group. This opacity has led to broader speculation about the actor's internal structure, with some indicators suggesting a smaller, tightly managed organization rather than a sprawling network.
Vice Society TTPs
Tactics
Vice Society primarily aims to encrypt data for ransom while exfiltrating sensitive information to amplify extortion leverage. Their operations target high-value sectors such as education, healthcare, and manufacturing, where operational disruptions can yield faster compliance with ransom demands.
Techniques
Vice Society uses several strategic techniques to infiltrate and exploit victim systems:
Gain initial access through public-facing vulnerabilities (e.g., PrintNightmare) or phishing campaigns.
Implement “living-off-the-land” tactics, leveraging tools like PowerShell, WMI, or legitimate credentials to evade detection.
Execute data exfiltration via automated scripts to command-and-control (C2) endpoints or cloud services like Mega.nz.
Encrypt critical data and threaten leaks to force ransom payment under their double extortion model.
Procedures
Exploits vulnerabilities such as CVE-2021-1675 (PrintNightmare).
Employs malicious DLL side-loading to inject payloads through legitimate software.
Disables recovery systems and suppresses defenses through registry modifications or tampering with antivirus tools.
Uses network scanning tools like Advanced IP Scanner to map out victims’ environments for lateral movement.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
September 2022 — LAUSD Breach: One of Vice Society’s most significant attacks, this breach impacted student and employee data on a massive scale. The group threatened further data leaks when their ransom request was unmet.
2023 Manufacturing Attacks: Vice Society was linked to ransomware incidents targeting manufacturing companies in regions such as Brazil, Argentina, and Israel, reflecting a pivot from exclusively targeting educational institutions.
Law Enforcement & Arrests
To date, no publicized arrests or takedowns of Vice Society operators have been reported. However, cybersecurity agencies like CISA and the FBI released advisories warning about Vice Society's methods, particularly targeting the educational sector. Emerging reports suggest the group could have shifted operations under the Rhysida brand, further complicating enforcement efforts.
How to Defend Against Vice Society
Patch Management: Regularly apply updates, particularly for exploits like PrintNightmare.
Credential Hygiene: Enforce strong passwords and multifactor authentication (MFA).
Network Segmentation: Separate sensitive systems from accessible networks to limit lateral attack paths.
Endpoint Monitoring: Deploy tools to detect abnormalities such as unusual PowerShell or script execution.
Backup Strategies: Maintain immutable, offline backups and test data restoration processes regularly.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
