vicesociety

188 tracked victims

·first seen 2021-05-31·last activity 2023-06-20

Group profile

Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations with "HelloKitty"

MITRE ATT&CK TTPs

TA0001

Initial Access

T1078Valid Accounts
Compromised credentials obtained via phishing or credential markets used to authenticate to victim systems via RDP or VPN.
T1190Exploit Public-Facing Application
Vice Society exploited PrintNightmare (CVE-2021-1675/CVE-2021-34527) and other publicly disclosed vulnerabilities in internet-facing systems as a primary initial access vector.

TA0002

Execution

T1059.001Command and Scripting Interpreter: PowerShell
PowerShell used for payload execution, post-exploitation activity, and lateral movement.
T1059.003Command and Scripting Interpreter: Windows Command Shell
cmd.exe used for executing commands and batch scripts during intrusion.

TA0004

Privilege Escalation

T1068Exploitation for Privilege Escalation
PrintNightmare exploited for local privilege escalation to SYSTEM and for lateral movement via Windows Print Spooler.

TA0005

Defense Evasion

T1070.001Indicator Removal: Clear Windows Event Logs
Event logs cleared using wevtutil to remove forensic artifacts.
T1562.001Disable or Modify Tools
AV and EDR solutions disabled via PowerShell and registry modifications before payload deployment.

TA0006

Credential Access

T1003.001OS Credential Dumping: LSASS Memory
Mimikatz used for credential dumping from LSASS memory.
T1003.003OS Credential Dumping: NTDS
NTDS.dit extracted using ntdsutil or VSS to harvest domain credentials.

TA0007

Discovery

T1046Network Service Discovery
Network scanning to enumerate hosts and services within the victim environment.

TA0008

Lateral Movement

T1021.001Remote Services: Remote Desktop Protocol
RDP used for lateral movement with harvested credentials.
T1021.002Remote Services: SMB/Windows Admin Shares
SMB and PsExec used to propagate payloads and move laterally across the network.

TA0010

Exfiltration

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Data exfiltrated using Rclone and MegaSync to cloud storage for double extortion.

TA0011

Command and Control

T1219Remote Access Software
SystemBC RAT and legitimate remote access tools used for persistent C2.

TA0040

Impact

T1486Data Encrypted for Impact
Vice Society deploys third-party ransomware payloads (HelloKitty, Zeppelin, RedAlert, QuantumLocker, and custom 'ViceSociety' encryptor). Heavily targets the education and healthcare sectors. Double extortion via dedicated leak site.
T1490Inhibit System Recovery
Shadow copies deleted and backup services disabled to prevent recovery.

Recent victims

showing 50 of 188

Date	Website / victim	Sector	Country
2023-06-20	SSV Architectsssv-architekten.de/	Construction	DE
2023-06-13	Bogleboobogleboo.se/	Technology	SE
2023-06-04	Nerimnerim.com	Telecommunication
2023-05-29	Adsbollads.dk/	Construction	DK
2023-05-22	Cafpicafpi.fr/	Financial Services	FR
2023-05-17	Aneka Tambangantam.com	Energy	ID
2023-05-11	DATALANdatalan.sk/	Technology	SK
2023-05-02	Brighton Hill Community Schoolbrightonhill.hants.sch.uk/	Education	GB
2023-04-30	CMC Groupcenturylabel.com	Manufacturing
2023-04-22	Neptune Linesneptunelines.com	Transportation/Logistics
2023-04-18	Lakeland Community Collegelakelandcc.edu/	Education	US
2023-04-15	CommScopecommscope.com	Telecommunication
2023-03-31	Lewis & Clark Collegelclark.edu/	Education	US
2023-03-23	Autoridad de Acueductos Y Alcantarilladosacueductospr.com	Public Sector
2023-03-17	Ecolog Internationalecolog-international.com	Business Services
2023-03-11	Berkeley County Schoolsberkeleycountyschools.org/	Education
2023-03-06	Kventa Kftkventa.hu/	Technology	HU
2023-03-05	HAW Hamburghaw-hamburg.de/	Education	DE
2023-03-03	HUNOSAhunosa.es/	Energy	ES
2023-03-01	Vesuviusvesuvius.com	Manufacturing
2023-02-09	Mount Saint Mary Collegemsmc.edu/	Education	DM
2023-02-01	Guildford County Schoolguildfordcounty.co.uk/	Education	GB
2023-01-31	TechInsightssemiconductor.com	Technology
2023-01-31	Societa Italiana Brevetti SpAsib.it/	Business Services	IT
2023-01-30	Okanagan Collegeokanagan.bc.ca/	Education	CA
2023-01-30	Scheppersinstituut Wetterenscheppers-wetteren.be/	Education	BE
2023-01-29	NPTC Group of Collegesnptcgroup.ac.uk/	Education	GB
2023-01-28	Seguros Equinoccialsegurosequinoccial.com	Financial Services	EC
2023-01-28	EGRegr.at/	Telecommunication	AT
2023-01-26	Bristol Community Collegebristolcc.edu/	Education	US
2023-01-23	emoney Home Loansemoneyhomeloans.com.au/	Financial Services	AU
2023-01-23	CloudCallcloudcall.com.au/	Technology	AU
2023-01-20	Monmouth Collegemonmouthcollege.edu/	Education	US
2023-01-16	University of Duisburg-Essenuni-due.de/	Education	DE
2023-01-14	TIMcotimco.co.uk/	Business Services	GB
2023-01-14	Central Texas Collegectcd.edu/	Education	US
2023-01-10	Fire Rescue Victoriafrv.vic.gov.au	Public Sector	AU
2023-01-07	Duty Free Philippinesdfp.com.ph/	Consumer Services	PH
2023-01-07	Swift Academiesswiftacademies.org.uk/	Education	GB
2023-01-06	Park Viewparkview.haringey.sch.uk/	Education	GB
2023-01-06	Bay Area Rapid Transitbart.gov/	Transportation/Logistics	US
2023-01-06	City Litcitylit.ac.uk/	Education	GB
2023-01-06	PROQUINAL Spradling Groupproquinal.com	Manufacturing
2023-01-06	Sub-drill Supplysub-drill.com	Energy
2023-01-06	LetMeRepairletmerepair.com	Business Services
2022-12-20	F FREDERICK Public Schools	Education
2022-12-20	M McNamara & Thiel Insurance Agency	Financial Services
2022-12-20	J JEALSA	Agriculture and Food Production	ES
2022-12-20	C Communications Solutions Company	Telecommunication	SA
2022-12-20	P Priority Building Services, LLC	Business Services