Vice Society | Threat Actor Profile

A Russian-speaking ransomware group that emerged in the summer of 2021 and quickly gained notoriety for its disproportionate targeting of the education sector, particularly K-12 schools and universities, alongside healthcare organizations. Unlike the major RaaS platforms, Vice Society did not develop its own ransomware or operate an affiliate program. Instead, the group purchased and modified commodity ransomware payloads — primarily Hello Kitty/Five Hands and Zeppelin — while conducting intrusions and deployments internally with a small, specialized team. This approach allowed Vice Society to fly under the radar as a "second- or third-tier" group while inflicting significant damage on institutions with limited cybersecurity resources. Experts categorize Vice Society as operationally pragmatic rather than technically sophisticated, succeeding through target selection rather than exploit innovation. The group's last confirmed victim under the Vice Society brand was posted in July 2023, directly coinciding with the emergence of Rhysida ransomware. Check Point, Sophos, and PRODAFT have independently established with medium-to-high confidence that Vice Society operators pivoted to deploying Rhysida ransomware while maintaining the same TTPs, sector focus, and operational patterns. Rhysida remains actively attacking organizations as of early 2026.

attributed origin Russian-speaking (specific attribution unknown)

organization type Cybercriminal / Self-Operated Ransomware Group

active period (vice society brand) Summer 2021 – July 2023

primary motivation Financial (Ransomware / Double Extortion)

successor operation Rhysida Ransomware (May 2023 – present, active 2026)

operating model Self-operated (not RaaS); commodity ransomware payloads

primary sectors Education (~35%), Healthcare (~25%), Manufacturing, Government

government advisories CISA AA22-249A (FBI/CISA/MS-ISAC, Sep 2022)

law enforcement No confirmed arrests to date

Overview

Vice Society first appeared in the summer of 2021 and rapidly established itself as one of the most prolific ransomware threats to the education and healthcare sectors. The group's operational model was unusual in the ransomware ecosystem: rather than developing a custom ransomware payload or running an affiliate program, Vice Society operated as a self-contained intrusion team that purchased and deployed commodity ransomware strains from dark web marketplaces. This approach traded technical sophistication for operational speed and flexibility — if one ransomware variant was disrupted or detected, the group could simply switch to another.

The ransomware payloads Vice Society deployed evolved over time. Early campaigns in June 2021 used Hello Kitty (also known as Five Hands) ransomware, appending the .v-society extension to encrypted files. By 2021-2022, the group had shifted to Zeppelin ransomware for targeting Windows hosts. Later campaigns introduced a custom ransomware builder with stronger encryption methods, though the group never developed a fully bespoke payload on the scale of groups like LockBit or BlackCat. Throughout its operational history, Vice Society maintained its own data leak site for double extortion, threatening to publish stolen data if ransoms were not paid.

What distinguished Vice Society was not its tools but its targeting. Palo Alto Networks Unit 42 documented that Vice Society listed 33 schools on its data leak site in 2022 alone, making it the most active education-sector-focused ransomware group that year. The September 2022 joint FBI/CISA/MS-ISAC advisory explicitly warned that Vice Society was disproportionately targeting K-12 institutions and anticipated attacks would increase with the 2022-2023 school year. School districts with limited cybersecurity budgets, understaffed IT teams, and sensitive student data proved particularly vulnerable. The group's willingness to attack children's hospitals and school systems — targets that many ransomware groups publicly claim to avoid — defined its reputation.

Vice Society's internal structure remains largely opaque. No individual operators have been publicly identified, and no arrests have been made. Researchers assess the group operated with a small, tightly managed team rather than a sprawling affiliate network. The group appeared to have steady access to initial access brokers and dark web credential markets, enabling rapid pivots between targets. Dwell times as short as six days were documented, suggesting efficient internal workflows from initial access to ransomware deployment.

Transition to Rhysida

Vice Society's last confirmed leak site post was dated June 21, 2023. The timing was not coincidental. Rhysida ransomware first appeared in May 2023, and within weeks of Vice Society going silent, Rhysida began posting victims at an accelerating pace. Three independent research teams have established the connection:

Check Point Research (August 2023): While responding to a Rhysida intrusion against an educational institution, identified a set of TTPs with significant similarities to Vice Society. Found "both a technical similarity between the two groups, and a clear correlation between the emergence of Rhysida and the disappearance of Vice Society." Assessed with medium confidence that Vice Society operators are using Rhysida ransomware. Noted identical sector targeting: education accounted for ~35% of Vice Society victims and ~32% of Rhysida victims.
Sophos X-Ops (November 2023): Tracked as TAC5279 (overlapping with Microsoft's Vanilla Tempest). Observed the same threat activity cluster deploying Vice Society ransomware against education, manufacturing, and logistics targets through June 2023, then deploying Rhysida ransomware against organizations in the same sectors starting in June 2023. Assessed with high confidence that the TAC5279 affiliate group transitioned to Rhysida while maintaining core TTPs including PortStarter, SystemBC, and identical credential dumping techniques.
PRODAFT: Published independent assessment indicating a connection between Vice Society and Rhysida, sharing hypotheses on the operational relationship.

The Vice Society-to-Rhysida transition follows the well-established ransomware rebrand pattern: when one brand attracts too much law enforcement attention or public scrutiny, operators adopt a new name while maintaining the same people, tools, and tactics. Unlike a true successor group, the underlying criminal capability was never disrupted — only the label changed.

Target Profile

Vice Society deliberately targeted organizations with sensitive data, limited cybersecurity resources, and high pressure to restore operations quickly. This "soft target" strategy maximized the likelihood of ransom payment while minimizing the risk of encountering sophisticated defenses.

Education (Primary Focus): K-12 school districts, universities, and educational institutions. 33 schools posted to the leak site in 2022 alone. Targeted institutions included the Los Angeles Unified School District (LAUSD, second-largest US school district), University of Duisburg-Essen (Germany), HAW Hamburg (Germany), Cincinnati State Technical and Community College, Linn-Mar Community School District (Iowa), Lewis & Clark College, and dozens of other schools across the US and Europe. Education accounted for approximately 35% of all Vice Society victims.
Healthcare: Hospitals, healthcare systems, and medical facilities. Attacks on hospitals placed Vice Society in a category of ransomware groups willing to target patient care environments despite the potential for life-threatening disruption. Healthcare targeting continued under the Rhysida brand with attacks on Prospect Medical Holdings (17 hospitals, 166 clinics).
Manufacturing: Industrial and manufacturing companies, with campaigns targeting organizations in Brazil, Argentina, Israel, and Europe in 2023, representing a pivot beyond the group's traditional education focus.
Government & Transportation: Government logistics, municipal agencies, and transportation systems including San Francisco's Bay Area Rapid Transit (BART). Rhysida continued this targeting with attacks on the City of Columbus, Ohio and Seattle-Tacoma International Airport.
Geographic Focus: Primarily United States and Europe (Germany, UK, France, Italy, Spain). The group showed no geographic restrictions beyond a focus on Western targets.

Tactics, Techniques & Procedures

Vice Society's TTPs reflect operational pragmatism over technical innovation. The group relied on well-established techniques, commodity tools, and rapid execution. The following is mapped from CISA Advisory AA22-249A, Sophos TAC5279 tracking, Check Point analysis, Trend Micro, Unit 42, and Kroll reporting. TTPs remained largely consistent through the transition to Rhysida.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Exploited internet-facing applications for initial access, particularly PrintNightmare (CVE-2021-1675/CVE-2021-34527) for both access and privilege escalation. Sophos documented initial access via compromised VPN accounts without MFA as the primary entry vector across TAC5279 incidents. The group was opportunistic, scanning for exposed services and purchasing credentials from initial access brokers.
T1078	Valid Accounts	Primary initial access method. Vice Society actors obtained compromised credentials through dark web purchases, credential stuffing, and exploitation of internet-facing applications. Compromised VPN accounts without MFA were the single most common entry vector documented by Sophos across multiple incidents. Once inside, the group used stolen credentials extensively for lateral movement.
T1059.001	Command and Scripting Interpreter: PowerShell	PowerShell used extensively for execution, lateral movement, and defense evasion. PowerShell Empire framework deployed in some campaigns. Under the Rhysida brand, the group deployed SILENTKILL, a PowerShell script that terminates antivirus processes, deletes shadow copies, modifies RDP configurations, and changes Active Directory passwords.
T1068	Exploitation for Privilege Escalation	Exploited PrintNightmare (CVE-2021-34527) for privilege escalation and lateral movement, delivering Cobalt Strike beacons through the vulnerability. ZeroLogon (CVE-2020-1472) exploited in Rhysida-era operations for domain controller compromise. Secretsdump tool used to extract credentials from ntds.dit database (dumped to temp_l0gs folder).
T1021.001	Remote Services: Remote Desktop Protocol	RDP used extensively for lateral movement throughout intrusions. Both Vice Society and Rhysida operators initiated RDP connections across the network and took deliberate steps to delete associated logs and registry entries to hinder detection and forensic analysis. Remote PowerShell sessions (WinRM) used alongside RDP in the days before ransomware deployment.
T1572	Protocol Tunneling	SystemBC deployed as a proxy and persistence backdoor in both Vice Society and Rhysida operations. Local Windows firewall rules created to enable SystemBC C2 communications. PortStarter, a commodity tool linked almost exclusively to Vice Society/TAC5279 operations, used for establishing C2 tunnels. Cobalt Strike beacons deployed in some intrusions.
T1219	Remote Access Software	Legitimate remote access tools including AnyDesk deployed for persistent access. AnyDesk usage continued under Rhysida operations. PuTTY used for SSH connections during lateral movement. Tools blended with legitimate administrative traffic to avoid detection.
T1003	OS Credential Dumping	Credential dumping via Secretsdump targeting the ntds.dit Active Directory database, consistently dumped to a folder named "temp_l0gs" across both Vice Society and Rhysida operations (a distinctive forensic artifact). Mimikatz also observed. Domain password changes executed to slow remediation.
T1486	Data Encrypted for Impact	Multiple ransomware payloads deployed over the group's lifetime. Hello Kitty/Five Hands (June 2021, .v-society extension), Zeppelin (2021-2022, Windows hosts), custom Vice Society builder (2022-2023), and Rhysida (mid-2023 onward, 4096-bit RSA + AES-CTR encryption). Rhysida version includes the -bomb argument for automatic network-wide targeting. Ransom notes under Rhysida identify attackers as the "security team at Rhysida."
T1567.002	Exfiltration to Cloud Storage	Data exfiltration using MegaSync (Mega cloud storage), WinSCP, and custom PowerShell scripts. Data collected and staged using 7zip compression. Under Rhysida operations, AZCopy used for exfiltration to Azure storage accounts. Exfiltration occurred before encryption as part of double extortion.
T1490	Inhibit System Recovery	Shadow copy deletion via vssadmin. SILENTKILL PowerShell script (Rhysida-era) automates shadow copy deletion, AV process termination, RDP configuration changes, and AD password modification in a single execution. Backup destruction targeted to maximize encryption impact.
T1070	Indicator Removal	Active log deletion and forensic artifact removal. RDP-related logs and registry entries deliberately deleted. Event logs cleared. Rhysida operators created staging directories (C:\in and C:\out) for malicious executables, which were cleaned after use. Defense evasion through disguising malware as legitimate files, process injection, and DLL side-loading.

Known Campaigns

Emergence and Early Healthcare/Education Attacks SUMMER 2021

Vice Society appeared deploying Hello Kitty ransomware payloads with the .v-society file extension. Early targets included healthcare facilities and educational institutions, establishing the sector focus that would define the group. PrintNightmare (CVE-2021-34527) was incorporated into the attack chain for privilege escalation shortly after its disclosure, demonstrating the group's ability to rapidly adopt newly published exploits.

Education Sector Surge 2022

Vice Society became the most prolific ransomware threat to the education sector, posting 33 schools to its data leak site. Targets included K-12 school districts and universities across the United States and Europe. The activity prompted the September 2022 joint FBI/CISA/MS-ISAC advisory (AA22-249A) specifically warning the education sector about Vice Society. The advisory noted that attacks were expected to increase with the 2022-2023 school year, as the group perceived seasonal opportunities when schools were particularly vulnerable to disruption.

Los Angeles Unified School District (LAUSD) SEP 2022

Vice Society's highest-profile attack targeted LAUSD, the second-largest school district in the United States serving over 600,000 students. The attack disrupted IT systems across the district and resulted in the exfiltration of sensitive student and staff data. When LAUSD refused to pay the ransom, Vice Society published the stolen data on its leak site, including Social Security numbers, student records, and other personally identifiable information. The attack drew national media attention and congressional interest, elevating Vice Society from a "second-tier" group to a household name in cybersecurity.

German University Campaign LATE 2022 – EARLY 2023

Targeted multiple German-speaking educational institutions including the University of Duisburg-Essen (one of Germany's largest universities with ~43,000 students) and Hamburg University of Applied Sciences (HAW Hamburg). The attacks forced both institutions to take IT systems offline for extended periods and disrupted academic operations. Vice Society published exfiltrated data after ransom negotiations failed. The campaign demonstrated the group's geographic reach beyond the United States.

Manufacturing Pivot EARLY 2023

Trend Micro documented Vice Society expanding beyond education and healthcare to target manufacturing companies in Brazil, Argentina, Israel, and other regions. This pivot suggested the group was diversifying its target base, possibly in response to increased security attention on the education sector following the CISA advisory. The manufacturing attacks demonstrated the same commodity-ransomware approach and double extortion tactics.

Transition to Rhysida Ransomware JUN – JUL 2023

Vice Society posted its final victims in June 2023. Simultaneously, Sophos observed the TAC5279 activity cluster — which had been deploying Vice Society ransomware — switch to deploying Rhysida ransomware against organizations in the same sectors (logistics and education). Rhysida first appeared in May 2023 and ramped activity rapidly. By July 2023, Vice Society's leak site had gone permanently silent. Under the Rhysida brand, the same operators launched high-profile attacks including Prospect Medical Holdings (17 hospitals, 166 clinics), the British Library, Insomniac Games (Sony), the City of Columbus, Seattle-Tacoma International Airport, and the Chilean Army. Rhysida was the subject of its own CISA advisory (AA23-319A, updated April 2025) which explicitly referenced the Vice Society connection. As of early 2026, Rhysida remains actively attacking organizations worldwide.

Tools & Malware

Vice Society's toolkit reflects its commodity-first approach: the group preferred purchasing or borrowing existing tools rather than investing in custom development. This strategy prioritized speed and flexibility over technical uniqueness.

Hello Kitty / Five Hands Ransomware: First payload deployed by Vice Society (June 2021). Cross-platform ransomware family previously associated with UNC2447. Vice Society appended the .v-society extension to encrypted files. Hello Kitty provided the group's initial encryption capability before the pivot to Zeppelin.
Zeppelin Ransomware: Deployed from 2021 through 2022 against Windows hosts. A Delphi-based ransomware family derived from the VegaLocker/Buran lineage, available for purchase on dark web forums. Zeppelin provided configurable encryption with per-victim customization.
Vice Society Custom Builder (2022-2023): Later in its lifecycle, Vice Society introduced a custom ransomware builder with stronger encryption methods, representing the group's only significant investment in proprietary tooling. Still relied on commodity foundations.
Rhysida Ransomware (successor, May 2023-present): 4096-bit RSA + AES-CTR encryption. Operates as RaaS (unlike Vice Society's self-operated model). Includes SILENTKILL PowerShell script for automated defense evasion. Uses AZCopy and Azure StorageExplorer for cloud-based exfiltration. Ransom notes self-identify attackers as the "security team at Rhysida." CISA Advisory AA23-319A (updated April 2025).
SystemBC: Proxy malware used for encrypted C2 tunneling and persistence across both Vice Society and Rhysida operations. A consistent artifact linking the two brands.
PortStarter: Commodity tunneling tool linked almost exclusively to Vice Society/TAC5279 activity. Its continued use in Rhysida operations is a key indicator connecting the two brands.
Cobalt Strike: Used for post-exploitation and C2 in some campaigns. Beacons deployed for lateral movement.
PowerShell Empire: Open-source post-exploitation framework used for command execution, lateral movement, and persistence.
Secretsdump / Mimikatz: Credential extraction tools. Secretsdump used to dump ntds.dit Active Directory database to the distinctive "temp_l0gs" folder.
AnyDesk / PuTTY: Legitimate tools abused for remote access and SSH connections during lateral movement.
MegaSync / WinSCP / 7zip: Data collection (7zip), staging, and exfiltration (MegaSync to Mega cloud, WinSCP for file transfer). AZCopy added under Rhysida operations.
Advanced Port Scanner / IP Scanner: Network discovery tools used for reconnaissance after initial access.

Indicators of Compromise

Vice Society's infrastructure is defunct. Active IOCs are associated with Rhysida operations (see CISA AA23-319A, updated April 2025). The following historical and behavioral indicators aid in retrospective analysis and detection of the persistent TAC5279 activity cluster.

behavioral indicators (persistent across vice society & rhysida)

technique Initial access via compromised VPN accounts without MFA — single most common entry vector across TAC5279 incidents

forensic ntds.dit credential database dumped to folder named "temp_l0gs" — distinctive TAC5279 artifact

technique SystemBC + PortStarter deployed together for C2 tunneling — PortStarter is nearly exclusive to this activity cluster

technique RDP log and registry entry deletion following lateral movement sessions

technique Domain password changes executed to slow victim remediation

forensic Staging directories C:\in and C:\out used for malicious executables (Rhysida-era)

extension .v-society (Hello Kitty variant), various Zeppelin extensions, .rhysida (current)

exploited vulnerabilities

cve CVE-2021-1675 / CVE-2021-34527 — PrintNightmare (Windows Print Spooler RCE / privilege escalation)

cve CVE-2020-1472 — ZeroLogon (Netlogon privilege escalation, used in Rhysida-era operations)

Mitigation & Defense

The underlying threat from Vice Society's operators persists under the Rhysida brand. Defenses should focus on the persistent TTPs of the TAC5279 activity cluster rather than specific ransomware payload signatures.

Enforce MFA on all VPN and remote access: Compromised VPN credentials without MFA were the dominant initial access vector. Implement phishing-resistant MFA (FIDO2/hardware keys for privileged accounts) on all external access points. Audit VPN configurations for accounts with single-factor authentication.
Prioritize education and healthcare sector defenses: Vice Society/Rhysida specifically targets institutions with limited cybersecurity resources. Schools and healthcare facilities should engage with CISA's free services, MS-ISAC membership, and sector-specific ISACs. Conduct tabletop exercises simulating ransomware scenarios relevant to school operations and patient care continuity.
Detect PortStarter and SystemBC deployments: PortStarter is nearly exclusive to TAC5279/Vice Society/Rhysida operations. Its presence is a strong indicator of this specific threat cluster. Monitor for SystemBC scheduled tasks, Tor proxy connections, and local firewall rule creation enabling C2 communications.
Monitor for credential dumping artifacts: Alert on access to the ntds.dit database. Watch for the distinctive "temp_l0gs" folder creation. Detect Secretsdump and Mimikatz execution, including renamed variants. Monitor for unauthorized domain password changes.
Restrict and monitor RDP usage: Implement network-level authentication for all RDP connections. Alert on RDP log deletion and registry modification. Use jump servers for administrative access rather than direct RDP between workstations and servers.
Implement immutable, offline backups: Vice Society/Rhysida targets backup infrastructure and deletes shadow copies. Maintain air-gapped backups tested regularly for restoration. The SILENTKILL script automates shadow copy deletion as part of the ransomware deployment, making pre-encryption backup destruction a standard part of the attack chain.
Monitor cloud exfiltration channels: Detect MegaSync connections, WinSCP transfers to external hosts, and AZCopy usage outside of authorized Azure administration. Monitor 7zip compression of large file collections as a pre-exfiltration indicator.

Rhysida: The Successor Operation

Rhysida ransomware emerged in May 2023 and is the assessed successor to Vice Society's operations. Key details:

Model: Rhysida operates as a RaaS (ransomware-as-a-service), a shift from Vice Society's self-operated model. Ransoms are split between the group and affiliates. This transition may reflect an effort to scale operations and attract additional operators.
Encryption: 4096-bit RSA + AES-CTR. PDF-formatted ransom notes (targeting systems with PDF rendering capability). Ransom notes identify attackers as the "security team at Rhysida."
CISA Advisory: AA23-319A (#StopRansomware: Rhysida), initially published November 2023, updated April 2025.
Notable Victims (2023-2026): Prospect Medical Holdings (17 hospitals, 166 clinics), British Library (major cultural institution), Insomniac Games/Sony (1TB+ leaked including unreleased Wolverine game), Chilean Army, City of Columbus (Ohio, 500,000+ affected), Seattle-Tacoma International Airport, Rutherford County Schools, Maryland Department of Transportation, Spindletop Center (Texas behavioral healthcare), and continued active targeting into 2026.
Status: Rhysida remains active as of early 2026. The CISA advisory was updated in April 2025 with new IOCs, confirming ongoing operations.

Sources & Further Reading

— end of profile