Headline
The Vice Society Ransomware Gang Thrives in a Crucial Blind Spot
Vice Society has a superpower that’s allowed it to quietly carry out attacks on schools and hospitals around the world: mediocrity.
a ransomware attack on the Los Angeles Unified School District in the first week of September crippled digital operations across the system, which includes more than 1,000 schools and serves roughly 600,000 students. Two weeks after the initial attack, as the district worked to recover and restore its systems, the hackers said that they would leak the 500 gigabytes of data they claimed to have stolen from LAUSD if the school system didn’t pay a ransom.
After the school system refused to pony up, the hackers released the trove, which contained sensitive data of students who had attended LAUSD between 2013 and 2016, including their Social Security numbers, financial and tax information, health details, and even legal records. And as LAUSD set up a hotline for worried families and scrambled to deal with the fallout, the hacking group behind the attack moved on, seemingly without making any money off the incident.
That’s Vice Society for you.
The apparently Russian-speaking group is a prolific ransomware actor that has hit an array of educational institutions since emerging at the end of 2020. But in addition to focusing on schools, Vice Society is notorious for targeting health care facilities and hospitals—a sector long-plagued by ransomware attacks, but one that some hacking groups pledged not to target at the height of the Covid-19 pandemic. Amidst a nonetheless brutal wave of North American hospital ransomware attacks in 2020, though, Vice Society’s activity has been just unremarkable enough to keep the group out of the spotlight.
“We would probably think of them as a second- or maybe third-tier group overall, compared to big names like LockBit, Hive, and Black Cat,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “But the bulk of their victims are either in the education or health care sectors, and their attacks make up a significant chunk of the total known attacks in those categories for 2021 and 2022 so far. They loom large in those two sectors.”
Vice Society is, in many ways, an unremarkable ransomware gang. The group relies on exploiting known vulnerabilities like PrintNightmare to gain access to victims’ systems and may sometimes buy a foot in the door from criminal actors known as “initial access" brokers. Once inside a network, Vice Society uses automated scripts and takes advantage of an organization’s own network management tools to conduct standard reconnaissance and exfiltrate data. Then the group deploys prepackaged ransomware.
Shortly after the LAUSD attack, the United States Cybersecurity and Infrastructure Security Agency and the FBI published an alert about Vice Society, noting that the group is “disproportionately targeting the education sector with ransomware attacks.” The agencies added that “Vice Society is an intrusion, exfiltration, and extortion hacking group … [The] actors do not use a ransomware variant of unique origin."
In addition to its technically unremarkable attacks, Vice Society has also hit targets around the world, spreading its victimes between North America, South America, and Europe.
Throughout 2021, Vice Society’s health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D’Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand’s Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline couldn’t obtain proof of negative Covid-19 tests for crew members because the health department’s digital systems were down.
Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the United States and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes.
Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August—neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.
“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied Vice Society’s tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving."
Researchers view the group’s attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society’s other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks.
“They’re focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don’t necessarily break into the mainstream,” Recorded Future’s Liska says. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”
By focusing on lesser-known schools, Tenable’s Tills warns, Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don’t make mid-tier ransomware groups a higher priority.
“Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” Tills says. "Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group’s success makes them sustainable, but they’re still kind of written off. So they’re not getting raided or arrested that we’ve seen so far. They’re a really good example of what we as an industry are not paying enough attention to.”