Threat Watch

Vice Society Hackers Are Behind Several Ransomware Attacks Against Education Sector

A threat group known as Vice Society has been linked to multiple malware attacks aimed at education, government, and retail sectors, according to a newly released report from Microsoft. The group, also known as DEV-0832, uses multiple types of ransomware strains to achieve its end goal of encrypting and exfiltrating an organization’s data.

Vice Society has been seen shifting between using strains of BlackCat, Quantum Locker, and Zeppelin ransomware payloads to encrypt an infected organization’s data. Their latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and .locked. The threat actor is known to use exploits for publicly disclosed vulnerabilities on Internet-facing applications to gain initial access into an environment. Once there, they use PowerShell scripts, legitimate Windows tools, and commodity backdoors such as SystemBC prior to launching the ransomware payload. The group has also been seen using Cobalt Strike for lateral movement, as well as exploiting internal Windows vulnerabilities such as PrintNightmare and CVE-2022-24521 to escalate privileges on a system. Vice Society has been seen modifying Windows Defender Registry keys in order to stop it from quarantining payloads or alerting the organization to its presence. Data exfiltration is achieved by launching a PowerShell script that collects and sends sensitive data and documents to a hard-coded attacker-owned IP address. Once these steps are complete, the ransomware payload of the group’s choice is executed on systems in the environment.

In some cases, Vice Society was seen avoiding deploying ransomware and instead opting for simple extortion using the exfiltrated data.


It is highly recommended to implement and maintain a regular patching cycle for all devices in an organization and particularly devices that are Internet-facing. Vice Society exploits vulnerabilities to both gain an initial foothold into an environment as well as escalating privileges on infected systems. By making sure all devices are up-to-date on patches consistently, an organization can help prevent threat actors like Vice Society from being able to gain a foothold into an environment. It is also recommended to employ good ransomware protection practices, such as creating regular off-site backups of critical systems and creating a segmented network, to help prevent successful ransomware attacks from destroying an environment.

Finally, it is highly recommended to implement and maintain good security endpoint controls, such as EDR, on all devices in an organization. EDR can be used to prevent or detect multiple stages of the attack used by threat actor groups like Vice Society as they move and exploit systems in the environment. Creating customized detections for behaviors exhibited by Vice Society and other threat actor groups is also recommended to alert the organization to a compromise prior to data exfiltration or ransomware execution. Windows Defender Registry keys being modified by abnormal processes, legitimate Windows binaries being used in a suspicious manner, and PowerShell making outbound connections to unknown external IP addresses are all behaviors that Vice Society exhibits that could be considered suspicious. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.

DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector